David,

I agree and really do appreciate you reminding me of that.  However, none of
our DL's are structured that way.  This one in fact is over 15 characters
long with special characters.

Jim

-----Original Message-----
From: David Lemson [mailto:[EMAIL PROTECTED]] 
Sent: Monday, January 07, 2002 5:28 PM
To: Exchange Discussions
Subject: RE: OWA Enumeration Question


Do not underestimate the power of a dictionary attack.  Especially if the
alias of the DL is less than 8 characters long, it is not hard to manage a
brute-force attack.  

-----Original Message-----
From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]] 
Sent: Monday, January 07, 2002 3:12 PM
To: Exchange Discussions
Subject: RE: OWA Enumeration Question


Chris,

1.  Not an obvious name.
2.  <duh> It did include an external SMTP addr <\duh>  However, the DL was
hidden from the GAL, as was the membership of the DL. 3.  Dictionary
generated listing wouldn't have worked for reason #1. 4.  I COULD stand to
lose 30 pounds.

While fighting spammers does provide an amusing distraction from time to
time, this is not what bothers me.  What bothers me is the fact that they
evidently got ahold of *every other* SMTP address in the GAL, as evidenced
by the fact that they know what the addr is to this one hidden DL that is
less than 2 months old.

TIA O Great Exchang Yoda ;o)

-----Original Message-----
From: Chris Scharff [mailto:[EMAIL PROTECTED]] 
Sent: Monday, January 07, 2002 2:24 PM
To: Exchange Discussions
Subject: RE: OWA Enumeration Question


Other possibilities.

The DL name is an obvious one that someone would guess (e.g. all@ sales@
hr@). The DL includes an external recipient and someone sent to the DL with
it in the to or from field of a message. The address was created through a
dictionary generated spam mailing. Someone in your org knows how to help you
lose 30lbs in 30 days.

--
Chris Scharff
The Mail Resource Center http://www.Mail-Resources.com
The Home Page for Mail Administrators.

Software pick of the month (Extended Reminders):
http://www.slovaktech.com/extendedreminders.htm
Exchange FAQs:
http://www.swinc.com/resource/exchange.htm


Chris
--
Chris Scharff
Senior Sales Engineer
MessageOne
If you can't measure, you can't manage!

> -----Original Message-----
> From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]]
> Sent: Monday, January 07, 2002 4:22 PM
> To: Exchange Discussions
> Subject: OWA Enumeration Question
>
>
> Ok, here's the situation: Win2k SP2 with Exchange OWA 5.5
> SP4+2 and IIS 5.0
>
> In the past couple of weeks, we have been getting hit VERY hard by 
> SPAM. It didn't really trip my trigger until I saw one particular NDR 
> in my postmaster mailbox this morning. Upon opening and looking 
> specifically at the distribution list, I found that the message was 
> addressed to two different SMTP addresses within our organization. One

> of those addresses has been deleted, hence the NDR. The other 
> addressee was a hidden DL that was created after 11/8/01, at the 
> suggestion of one Mr. Louis Joyce, in a separate thread to someone 
> else (see "RE: email to a deleted mailbox").
>
> Now...there are three ways I can think of that someone has gotten 
> ahold of our enumerated GAL:
>
> 1. They enumerated our GAL through the OWA, ala "MS01-047 : OWA 
> Function Allows Unauthenticated User to Enumerate Global Address 
> List". This is Q307195. We have grepped the log files as far back as 
> 07/01/01 on the OWA server, and can find no indication that this 
> vulnerability has been exploited on our server. In the Add/Remove 
> Programs, it doesn't show this hotfix as having been installed, but it

> does show hotfix Q313576 as having been installed and Q307195 is an
> included hotfix (I would say we could rule that option out).
>
> 2. We are one site in a two site organization, with the
> other site being the parent site. Therefore, all recipients in our GAL 
> replicate to their GAL. So...the exploit described in #1 could be 
> performed from their OWA site if the patch hasn't been applied, with 
> the same results (Don't know their status yet).
>
> 3. Someone from within our company or theirs has enumerated the GAL 
> and is selling it to outside sources.
>
> Have I left any possibilities out?
>
> James H (Jim) Blunt
> Network / Microsoft Exchange Admin.
> Network & Infrastructure Group
> Bechtel Hanford, Inc.
> 509-372-9188


_________________________________________________________________
List posting FAQ:       http://www.swinc.com/resource/exch_faq.htm
Archives:               http://www.swynk.com/sitesearch/search.asp
To unsubscribe:         mailto:[EMAIL PROTECTED]
Exchange List admin:    [EMAIL PROTECTED]

_________________________________________________________________
List posting FAQ:       http://www.swinc.com/resource/exch_faq.htm
Archives:               http://www.swynk.com/sitesearch/search.asp
To unsubscribe:         mailto:[EMAIL PROTECTED]
Exchange List admin:    [EMAIL PROTECTED]

_________________________________________________________________
List posting FAQ:       http://www.swinc.com/resource/exch_faq.htm
Archives:               http://www.swynk.com/sitesearch/search.asp
To unsubscribe:         mailto:[EMAIL PROTECTED]
Exchange List admin:    [EMAIL PROTECTED]

_________________________________________________________________
List posting FAQ:       http://www.swinc.com/resource/exch_faq.htm
Archives:               http://www.swynk.com/sitesearch/search.asp
To unsubscribe:         mailto:[EMAIL PROTECTED]
Exchange List admin:    [EMAIL PROTECTED]

Reply via email to