Edward,

The behavior you described, where the user received an auto-reply from
someone she never sent mail to, is more likely a result of a third party's
computer being infected with the Klez virus, than it is spam relaying. Klez
is known to falsify sender information. Sender information is totally
arbitrary - it has little to do with the actual source of the message.

See...
http://www.sophos.com/virusinfo/articles/klezh2.html

So, your user's name is in some infected computer address book, it gets used
as the FROM, and your user gets the auto-reply. Annoying to no end... And
forget trying to explain these abstract concepts to the users. Ugh!

IMHO, anyone running an Exchange server should configure SMTP as noted under
the 'A Better Option' section of this document:
http://info.connect.com.au/docs/exchange/relay.html

That will prevent your server from being used to send mail to anywhere but
your domain.

To the user with the WatchGuard firewall:

If we're talking about a WG model 700 or better, consider using the
SMTP-Proxy service. You can set it to stop relaying by setting the
Allowed-to: on the incoming properties to *yourcommercialdomain.com

Next, how on [insert your choice of omnipotent being]'s green earth are they
getting at your accounts (i.e., what kind of allowed traffic are you
seeing)? Are you allowing SMB through to any internal hosts? If so, I'd
recommend stopping that immediately. You may as well not run a firewall, if
you're going to allow MS traffic through.

-Seth Mitchell

smitchellmeagher.com

-----Original Message-----
From: Edward Cheong [mailto:ed.cheongoahucomputers.com]
Sent: Friday, June 07, 2002 3:04 PM
To: focus-mssecurityfocus.com
Subject: Re: MS Exchange Server 5.5/ NT User Name Harvesting ?

In-Reply-To: <20020607163318.12672.qmailmail.securityfocus.com>

Hi,

I am experiencing the same problem. How did you determine that the
attackers are trying to use your exchange server as a spam relay? What
signs do you look for (our user has received auto-response replies from a
person she has never sent mail to, but apparently received a spam message
from our user). Could spam be relayed from our mail server using a
particular user as the sender? What other ways are there to find out
information about the users (other than with the Watchguard firewall)?

Thank you very much

>
>Hello,
>
>I work for a small company with about 100 computers on our network. Our
>lone server is running on NT with all the latest hotfixes, service packs,
>etc. Our mail server is MS Exchange 5.5, also with all the latest
>hotfixes and service packs installed. Due to budgetary constraints
>upgrading to newer software is not an option here.
>
>The problem we're having is that everytime one of our employees keeps
>his/her computer logged on overnight, crackers are able to harvest the
>username and they then proceed to run cracking attempts on it all night.
>
>From the security logs it looks like they are trying to use our mail
>server as a spam relay. The only thing thats really stopping them is we
>have all user accounts locked out from 5pm-7am. But we really don't know
>whats going on during business hours.
>
>We have a Watchguard firewall up and running and its provided us with
alot
>of information, including the cracker's IP addresses, but we would really
>like to know how to stop them from harvesting our Usernames.
>
>The usernames are not guessable, the only common thread that all the
>usernames the crackers have harvested have is the fact that the Employee
>left his/her computer on all night and logged into the network.
>
>Any suggestions would be most appreciated.
>
>Thanks
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]