David, I agree and really do appreciate you reminding me of that. However, none of our DL's are structured that way. This one in fact is over 15 characters long with special characters.
Jim -----Original Message----- From: David Lemson [mailto:[EMAIL PROTECTED]] Sent: Monday, January 07, 2002 5:28 PM To: Exchange Discussions Subject: RE: OWA Enumeration Question Do not underestimate the power of a dictionary attack. Especially if the alias of the DL is less than 8 characters long, it is not hard to manage a brute-force attack. -----Original Message----- From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]] Sent: Monday, January 07, 2002 3:12 PM To: Exchange Discussions Subject: RE: OWA Enumeration Question Chris, 1. Not an obvious name. 2. <duh> It did include an external SMTP addr <\duh> However, the DL was hidden from the GAL, as was the membership of the DL. 3. Dictionary generated listing wouldn't have worked for reason #1. 4. I COULD stand to lose 30 pounds. While fighting spammers does provide an amusing distraction from time to time, this is not what bothers me. What bothers me is the fact that they evidently got ahold of *every other* SMTP address in the GAL, as evidenced by the fact that they know what the addr is to this one hidden DL that is less than 2 months old. TIA O Great Exchang Yoda ;o) -----Original Message----- From: Chris Scharff [mailto:[EMAIL PROTECTED]] Sent: Monday, January 07, 2002 2:24 PM To: Exchange Discussions Subject: RE: OWA Enumeration Question Other possibilities. The DL name is an obvious one that someone would guess (e.g. all@ sales@ hr@). The DL includes an external recipient and someone sent to the DL with it in the to or from field of a message. The address was created through a dictionary generated spam mailing. Someone in your org knows how to help you lose 30lbs in 30 days. -- Chris Scharff The Mail Resource Center http://www.Mail-Resources.com The Home Page for Mail Administrators. Software pick of the month (Extended Reminders): http://www.slovaktech.com/extendedreminders.htm Exchange FAQs: http://www.swinc.com/resource/exchange.htm Chris -- Chris Scharff Senior Sales Engineer MessageOne If you can't measure, you can't manage! > -----Original Message----- > From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]] > Sent: Monday, January 07, 2002 4:22 PM > To: Exchange Discussions > Subject: OWA Enumeration Question > > > Ok, here's the situation: Win2k SP2 with Exchange OWA 5.5 > SP4+2 and IIS 5.0 > > In the past couple of weeks, we have been getting hit VERY hard by > SPAM. It didn't really trip my trigger until I saw one particular NDR > in my postmaster mailbox this morning. Upon opening and looking > specifically at the distribution list, I found that the message was > addressed to two different SMTP addresses within our organization. One > of those addresses has been deleted, hence the NDR. The other > addressee was a hidden DL that was created after 11/8/01, at the > suggestion of one Mr. Louis Joyce, in a separate thread to someone > else (see "RE: email to a deleted mailbox"). > > Now...there are three ways I can think of that someone has gotten > ahold of our enumerated GAL: > > 1. They enumerated our GAL through the OWA, ala "MS01-047 : OWA > Function Allows Unauthenticated User to Enumerate Global Address > List". This is Q307195. We have grepped the log files as far back as > 07/01/01 on the OWA server, and can find no indication that this > vulnerability has been exploited on our server. In the Add/Remove > Programs, it doesn't show this hotfix as having been installed, but it > does show hotfix Q313576 as having been installed and Q307195 is an > included hotfix (I would say we could rule that option out). > > 2. We are one site in a two site organization, with the > other site being the parent site. Therefore, all recipients in our GAL > replicate to their GAL. So...the exploit described in #1 could be > performed from their OWA site if the patch hasn't been applied, with > the same results (Don't know their status yet). > > 3. Someone from within our company or theirs has enumerated the GAL > and is selling it to outside sources. > > Have I left any possibilities out? > > James H (Jim) Blunt > Network / Microsoft Exchange Admin. > Network & Infrastructure Group > Bechtel Hanford, Inc. > 509-372-9188 _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
