Other possibilities. The DL name is an obvious one that someone would guess (e.g. all@ sales@ hr@). The DL includes an external recipient and someone sent to the DL with it in the to or from field of a message. The address was created through a dictionary generated spam mailing. Someone in your org knows how to help you lose 30lbs in 30 days.
-- Chris Scharff The Mail Resource Center http://www.Mail-Resources.com The Home Page for Mail Administrators. Software pick of the month (Extended Reminders): http://www.slovaktech.com/extendedreminders.htm Exchange FAQs: http://www.swinc.com/resource/exchange.htm Chris -- Chris Scharff Senior Sales Engineer MessageOne If you can't measure, you can't manage! > -----Original Message----- > From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]] > Sent: Monday, January 07, 2002 4:22 PM > To: Exchange Discussions > Subject: OWA Enumeration Question > > > Ok, here's the situation: Win2k SP2 with Exchange OWA 5.5 > SP4+2 and IIS 5.0 > > In the past couple of weeks, we have been getting hit VERY > hard by SPAM. It didn't really trip my trigger until I saw > one particular NDR in my postmaster mailbox this morning. > Upon opening and looking specifically at the distribution > list, I found that the message was addressed to two different > SMTP addresses within our organization. One of those > addresses has been deleted, hence the NDR. The other > addressee was a hidden DL that was created after 11/8/01, at > the suggestion of one Mr. Louis Joyce, in a separate thread > to someone else (see "RE: email to a deleted mailbox"). > > Now...there are three ways I can think of that someone has > gotten ahold of our enumerated GAL: > > 1. They enumerated our GAL through the OWA, ala "MS01-047 : > OWA Function Allows Unauthenticated User to Enumerate Global > Address List". This is Q307195. We have grepped the log > files as far back as 07/01/01 on the OWA server, and can find > no indication that this vulnerability has been exploited on > our server. In the Add/Remove Programs, it doesn't show this > hotfix as having been installed, but it does show hotfix > Q313576 as having been installed and Q307195 is an included > hotfix (I would say we could rule that option out). > > 2. We are one site in a two site organization, with the > other site being the parent site. Therefore, all recipients > in our GAL replicate to their GAL. So...the exploit > described in #1 could be performed from their OWA site if the > patch hasn't been applied, with the same results (Don't know > their status yet). > > 3. Someone from within our company or theirs has enumerated > the GAL and is selling it to outside sources. > > Have I left any possibilities out? > > James H (Jim) Blunt > Network / Microsoft Exchange Admin. > Network & Infrastructure Group > Bechtel Hanford, Inc. > 509-372-9188 _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]