Me thinks thou dost protest toooo much!!! :-) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler Posted At: Thursday, December 18, 2003 1:19 PM Posted To: Exchange Discussion Conversation: Open Relay/Spamcop Subject: RE: Open Relay/Spamcop
I'm right there with you on this one. Since I do not know for an absolute FACT one way or the other it may indeed be the case that a guest account was used or that an account was compromised. And God forbid that I even merely hint or suggest that this is a problem with Microsoft's software or in any way a design flaw, etc. because we all know that storm that would cause. But, that being said, I would like to implore to the MVP gods on this list that they might possibly want to maybe suggest to Microsoft that they take a look at this for no other reason than to at least modify the wording on the check boxes. I mean "Anonymous Authentication allowed" and "Allow computers which successfully authenticate..." on the surface seems to indicate that yes, you can anonymously authenticate and relay messages, which I cannot imagine would ever really be very useful to anyone except a spammer. I mean, change the wording or add a checkbox to specifically allow, not allow relaying by anonymous authentication. Who knows, I don't want to start another freaking firestorm about how much I hate Microsoft, yadda, yadda. I guess my point is that it is OBVIOUSLY an issue specifically in a lot of small 1-50 person shops that use a single Exchange server for everything. This is where I have come in and seen it as a problem. There are exactly the people that don't generally have qualified IT help, thus because the default configuration seems to allow this kind of relaying issue it is a "feature" of the product that is adding to the overall spam problem on the Internet. Maybe the MVP gods and Microsoft care, maybe not, but I want to be absolutely clear that I do not care one iota, because if I did everyone would just tell me how stupid and ignorant and a wife beater I am. So, I don't care and please do not mistakenly believe that I care. God help us all if an MVP reads this, thinks I care and starts another massive thread of pointless arguing. > It is possible that a user account was compromised ... but here is the > scenario I had and what "worked" to fix it ... > > Setup: > Win2K sp4; Exch 2k sp3 ; 5000 pop3/imap/mapi/http users on a closed > user group (noted through ips in the relay tab ...) ; guest account > disabled; SMTP Virtual Server Properties/Access Tab/Relay ... "Allow > all computers which successfully authenticate to relay, regardless of the list above." > was checked ... > > Issue: > My cues were huge; relaying may not have been going on (I did have a > couple of external complaints that I was allowing relaying; but never > made it on a list --- whew), but we were accepting the mail and then > processing it internally; it was becoming a performance issue .... > this internal processing is alluded to at > http://support.microsoft.com/default.aspx?scid=3Dkb;EN-US;304897 ... = > then we were getting our own NDR's back ... etc .. > > Solution: > Unchecked SMTP Virtual Server Properties/Access Tab/Relay ... "Allow > all computers which successfully authenticate to relay, regardless of > the list above." ... all the relaying (or attempt at it stopped) > > Comment: > BTW, for external servers to communicate with you, it is the SMTP > Virtual Server Properties/Access Tab/Authentication/Anonymous Access > tab that must be checked .... > > P.S.: > I tell users they can still pop their mail from outside our closed > user group; but they must use their ISP's SMTP relay for sending mail > or use OWA ... > > > Mike > > > > -----Original Message----- > From: Ken Cornetet [mailto:[EMAIL PROTECTED] > Sent: Thursday, December 18, 2003 12:18 PM > To: Exchange Discussions > Subject: RE: Open Relay/Spamcop > > > Exchange WILL relay for authenticated users (by default), and it > doesn't have to be the guest account (though that is a common attack). > > Have you left your Administrator account named Administrator? Do you > "leak" user IDs to the outside world? Web pages? Email addresses? IM > aliases? Backups run under the user ID "backup"? > > Dictionary password attack. Spammers have lots of patience. > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler > Sent: Thursday, December 18, 2003 12:11 PM > To: Exchange Discussions > Subject: RE: Open Relay/Spamcop > > > This may very well be the case. I cannot say one way or another. When > I have seen this, it has always been the case that I am there fixing > something else and happen upon this problem, fix it and move on. I DO > know that I have seen it on boxes where the Guest account is disabled, > but that does not rule out the possibility that some other account was > compromised. > > > However, I would welcome any information that proves me otherwise. > > i.e. configure these settings, with the guest account disabled, > > and=20 prove that it actually will relay - not authenticated relay, > > that=20 doesn't count. If it is authenticated relay, it is because > > a password > > > was compromised.=3D20 > >=20 > >=20 > > Ben Winzenz > > Network Engineer > > Gardner & White > > (317) 581-1580 ext 418 > >=20 > >=20 > > -----Original Message----- > > From: Ben Winzenz=3D20 > > Posted At: Thursday, December 18, 2003 11:48 AM Posted To: Exchange > >(Swynk) > > Conversation: Open Relay/Spamcop > > Subject: RE: Open Relay/Spamcop > >=20 > >=20 > > I still think you are smoking crack on this, Greg. I have never > >seen a properly configured Exchange 2000 server relay UNLESS a user > >account > > > was compromised, or the guest account was enabled. I've tested it > > and > > > tested again, and never found Exchange to relay with those > >settings.=3D20 =20 =20 Ben Winzenz Network Engineer Gardner & > >White > > (317) 581-1580 ext 418 > >=20 > >=20 > > -----Original Message----- > > From: Greg Deckler [mailto:[EMAIL PROTECTED] Posted At: Thursday, > >December 18, 2003 11:37 AM Posted To: Exchange (Swynk) > > Conversation: Open Relay/Spamcop > > Subject: RE: Open Relay/Spamcop > >=20 > >=20 > > Hey, thanks for the confirmation. People have told me that I am > >smoking crack and that the Exchange servers were horribly=20 > >misconfigured. It's nice to know that I am not smoking crack. > >=20 > > > I concur with greg ... our server had those settings and we were > > > being > >=20 > > > used as a relay ... turned off "Allow all computers which > > > successfully > >=20 > > > authenticate to relay, regardless of the list above." and that > > > stopped > >=20 > > > it ... > > >=3D20 > > > Mike > > >=3D20 > > >=3D20 > > >=3D20 > > > -----Original Message----- > > > From: Greg Deckler [mailto:[EMAIL PROTECTED] > > > Sent: Thursday, December 18, 2003 11:17 AM > > > To: Exchange Discussions > > > Subject: Re: Open Relay/Spamcop > > >=3D20 > > >=3D20 > > > This may or may not be the problem, but I have seen spammers able > > >to=3D20 relay off an Exchange server if the following > > >configuration=20 > > >applies: =3D20 1. If "Anonymous access" is turned on. SMTP > > >Virtual=20 Server properties, > >=20 > > > Access page, Authentication. 2. And, "Allow all computers > > >which=3D20 successfully authenticate to relay, regardless of the > > >list above."=20 is=3D20 checked. SMTP Virtual Server properties, > > >Access page, Relay. = > > > >=3D20 =3D20 > > >=3D20 > > > > Hello All and Happy Holidays! > > > >=3D3D20 > > > > I have a colleague whos Exchange 2000 server is being reported > > > >as=3D20 Open > > >=3D20 > > > > Relay by spamcop for the past month. I have tested his relay > > > > =3D > > by=3D3D20 > >=20 > > > >setting up a POP account in Outlook, putting the server that = > is=3D20 > > > >being=3D3D20 reported as Open relay as my Outgoing SMTP server. > > > >= > =3D > > =3D3D3D20=3D20 > > > >=3D3D20 When I try to send a message using Outlook, I get a > > > >return=3D20 message > > > that > > > > 550 5.7.1 Unable to relay. I am relieved that it could not > > relay. > > > > That is good, however, why then is spamcop still reporting it > > > >to=3D20 be=3D3D20 open relay? =3D3D3D20 =3D3D20 I have checked > > > >= > (over the=20 > > > >phone) =3D > > all his > >=20 > > > >Virtual SMTP Server settings=3D3D20 to verify correct = > configuration. > > > > >=3D20 Everything seems to be "checked" or=3D3D20 "unchecked" as > > > >recommended =3D > > by > >=20 > > > >Microsoft. > > > >=3D3D20 > > > > We have Stopped/Started Services for SMTP =3D3D20 The Exchange > > > >2000=3D20 server is behind a NAT and I have looked into > > > >the=3D3D20 = > > > > >possibility =3D > > of=3D20 > > > >this. I have been out on the spamcop site and for the=3D3D20 > > > >life of =3D > > me > >=20 > > > >cannot find a way to make them check the server again to=3D3D20 > > > >= > see > > > >if =3D > >=20 > > > >it is closed relay like ORDB does. =3D3D3D20 =3D3D20 Any ideas = > or=3D20 > > > >comments???? =3D3D3D20 =3D3D20 =3D3D20 =3D3D20 Samantha Bridges > > > >= > =3D > > Communications=3D20 > > > >Technician Macomb Intermediate School District > > > > 44001 Garfield Road > > > > Clinton Township MI 48038-1100 > > > > (586) 228-3300 > > > >=3D3D20 > > > > [EMAIL PROTECTED] > > > > http://www.misd.net > > > >=3D3D20 > > > >=3D3D20 > > > > CONFIDENTIALITY NOTICE: This email message, including any=3D20 > > > >attachments, > > >=3D20 > > > > is for the sole use of the intended recipient(s) and may =3D > > contain=3D3D20=3D20 > > > > confidential and privileged information. Any unauthorized > > > > review,=3D20 use, > > >=3D20 > > > > disclosure or distribution is prohibited. If you are not > > > >the=3D20 intended=3D3D20 recipient, please contact the sender by > > > >reply = > email=20 > > > >=3D > > and=3D20 > > > >destroy all=3D3D20 copies of the original message. > > > >=3D3D20 > > > > =3D3D3D20 > > >=3D20 > > >_________________________________________________________________ > > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > > Web Interface: > > > =3D > > = > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3D3D3Dexchange&tex > t_ > > mo > > > de=3D3D3D=3D3D > > > & > > > lang=3D3D3Denglish > > > To unsubscribe: mailto:[EMAIL PROTECTED] > > > Exchange List admin: [EMAIL PROTECTED] > >=20 > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Web Interface: > > = > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3D3Dexchange&text_ > mo > > de=3D3D=3D > > & > > lang=3D3Denglish > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > >=20 > >=20 > >=20 > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Web Interface: > > = > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3D3Dexchange&text_ > mo > > de=3D3D=3D > > & > > lang=3D3Denglish > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3Dexchange&text_mo > de=3D= > & > lang=3Denglish > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3Dexchange&text_mo > de=3D= > & > lang=3Denglish > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=& lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]