RE: OWA Enumeration Question
David, I agree and really do appreciate you reminding me of that. However, none of our DL's are structured that way. This one in fact is over 15 characters long with special characters. Jim -Original Message- From: David Lemson [mailto:[EMAIL PROTECTED]] Sent: Monday, January 07, 2002 5:28 PM To: Exchange Discussions Subject: RE: OWA Enumeration Question Do not underestimate the power of a dictionary attack. Especially if the alias of the DL is less than 8 characters long, it is not hard to manage a brute-force attack. -Original Message- From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]] Sent: Monday, January 07, 2002 3:12 PM To: Exchange Discussions Subject: RE: OWA Enumeration Question Chris, 1. Not an obvious name. 2. duh It did include an external SMTP addr \duh However, the DL was hidden from the GAL, as was the membership of the DL. 3. Dictionary generated listing wouldn't have worked for reason #1. 4. I COULD stand to lose 30 pounds. While fighting spammers does provide an amusing distraction from time to time, this is not what bothers me. What bothers me is the fact that they evidently got ahold of *every other* SMTP address in the GAL, as evidenced by the fact that they know what the addr is to this one hidden DL that is less than 2 months old. TIA O Great Exchang Yoda ;o) -Original Message- From: Chris Scharff [mailto:[EMAIL PROTECTED]] Sent: Monday, January 07, 2002 2:24 PM To: Exchange Discussions Subject: RE: OWA Enumeration Question Other possibilities. The DL name is an obvious one that someone would guess (e.g. all@ sales@ hr@). The DL includes an external recipient and someone sent to the DL with it in the to or from field of a message. The address was created through a dictionary generated spam mailing. Someone in your org knows how to help you lose 30lbs in 30 days. -- Chris Scharff The Mail Resource Center http://www.Mail-Resources.com The Home Page for Mail Administrators. Software pick of the month (Extended Reminders): http://www.slovaktech.com/extendedreminders.htm Exchange FAQs: http://www.swinc.com/resource/exchange.htm Chris -- Chris Scharff Senior Sales Engineer MessageOne If you can't measure, you can't manage! -Original Message- From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]] Sent: Monday, January 07, 2002 4:22 PM To: Exchange Discussions Subject: OWA Enumeration Question Ok, here's the situation: Win2k SP2 with Exchange OWA 5.5 SP4+2 and IIS 5.0 In the past couple of weeks, we have been getting hit VERY hard by SPAM. It didn't really trip my trigger until I saw one particular NDR in my postmaster mailbox this morning. Upon opening and looking specifically at the distribution list, I found that the message was addressed to two different SMTP addresses within our organization. One of those addresses has been deleted, hence the NDR. The other addressee was a hidden DL that was created after 11/8/01, at the suggestion of one Mr. Louis Joyce, in a separate thread to someone else (see RE: email to a deleted mailbox). Now...there are three ways I can think of that someone has gotten ahold of our enumerated GAL: 1. They enumerated our GAL through the OWA, ala MS01-047 : OWA Function Allows Unauthenticated User to Enumerate Global Address List. This is Q307195. We have grepped the log files as far back as 07/01/01 on the OWA server, and can find no indication that this vulnerability has been exploited on our server. In the Add/Remove Programs, it doesn't show this hotfix as having been installed, but it does show hotfix Q313576 as having been installed and Q307195 is an included hotfix (I would say we could rule that option out). 2. We are one site in a two site organization, with the other site being the parent site. Therefore, all recipients in our GAL replicate to their GAL. So...the exploit described in #1 could be performed from their OWA site if the patch hasn't been applied, with the same results (Don't know their status yet). 3. Someone from within our company or theirs has enumerated the GAL and is selling it to outside sources. Have I left any possibilities out? James H (Jim) Blunt Network / Microsoft Exchange Admin. Network Infrastructure Group Bechtel Hanford, Inc. 509-372-9188 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting
RE: OWA Enumeration Question
Other possibilities. The DL name is an obvious one that someone would guess (e.g. all@ sales@ hr@). The DL includes an external recipient and someone sent to the DL with it in the to or from field of a message. The address was created through a dictionary generated spam mailing. Someone in your org knows how to help you lose 30lbs in 30 days. -- Chris Scharff The Mail Resource Center http://www.Mail-Resources.com The Home Page for Mail Administrators. Software pick of the month (Extended Reminders): http://www.slovaktech.com/extendedreminders.htm Exchange FAQs: http://www.swinc.com/resource/exchange.htm Chris -- Chris Scharff Senior Sales Engineer MessageOne If you can't measure, you can't manage! -Original Message- From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]] Sent: Monday, January 07, 2002 4:22 PM To: Exchange Discussions Subject: OWA Enumeration Question Ok, here's the situation: Win2k SP2 with Exchange OWA 5.5 SP4+2 and IIS 5.0 In the past couple of weeks, we have been getting hit VERY hard by SPAM. It didn't really trip my trigger until I saw one particular NDR in my postmaster mailbox this morning. Upon opening and looking specifically at the distribution list, I found that the message was addressed to two different SMTP addresses within our organization. One of those addresses has been deleted, hence the NDR. The other addressee was a hidden DL that was created after 11/8/01, at the suggestion of one Mr. Louis Joyce, in a separate thread to someone else (see RE: email to a deleted mailbox). Now...there are three ways I can think of that someone has gotten ahold of our enumerated GAL: 1. They enumerated our GAL through the OWA, ala MS01-047 : OWA Function Allows Unauthenticated User to Enumerate Global Address List. This is Q307195. We have grepped the log files as far back as 07/01/01 on the OWA server, and can find no indication that this vulnerability has been exploited on our server. In the Add/Remove Programs, it doesn't show this hotfix as having been installed, but it does show hotfix Q313576 as having been installed and Q307195 is an included hotfix (I would say we could rule that option out). 2. We are one site in a two site organization, with the other site being the parent site. Therefore, all recipients in our GAL replicate to their GAL. So...the exploit described in #1 could be performed from their OWA site if the patch hasn't been applied, with the same results (Don't know their status yet). 3. Someone from within our company or theirs has enumerated the GAL and is selling it to outside sources. Have I left any possibilities out? James H (Jim) Blunt Network / Microsoft Exchange Admin. Network Infrastructure Group Bechtel Hanford, Inc. 509-372-9188 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA Enumeration Question
Chris, 1. Not an obvious name. 2. duh It did include an external SMTP addr \duh However, the DL was hidden from the GAL, as was the membership of the DL. 3. Dictionary generated listing wouldn't have worked for reason #1. 4. I COULD stand to lose 30 pounds. While fighting spammers does provide an amusing distraction from time to time, this is not what bothers me. What bothers me is the fact that they evidently got ahold of *every other* SMTP address in the GAL, as evidenced by the fact that they know what the addr is to this one hidden DL that is less than 2 months old. TIA O Great Exchang Yoda ;o) -Original Message- From: Chris Scharff [mailto:[EMAIL PROTECTED]] Sent: Monday, January 07, 2002 2:24 PM To: Exchange Discussions Subject: RE: OWA Enumeration Question Other possibilities. The DL name is an obvious one that someone would guess (e.g. all@ sales@ hr@). The DL includes an external recipient and someone sent to the DL with it in the to or from field of a message. The address was created through a dictionary generated spam mailing. Someone in your org knows how to help you lose 30lbs in 30 days. -- Chris Scharff The Mail Resource Center http://www.Mail-Resources.com The Home Page for Mail Administrators. Software pick of the month (Extended Reminders): http://www.slovaktech.com/extendedreminders.htm Exchange FAQs: http://www.swinc.com/resource/exchange.htm Chris -- Chris Scharff Senior Sales Engineer MessageOne If you can't measure, you can't manage! -Original Message- From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]] Sent: Monday, January 07, 2002 4:22 PM To: Exchange Discussions Subject: OWA Enumeration Question Ok, here's the situation: Win2k SP2 with Exchange OWA 5.5 SP4+2 and IIS 5.0 In the past couple of weeks, we have been getting hit VERY hard by SPAM. It didn't really trip my trigger until I saw one particular NDR in my postmaster mailbox this morning. Upon opening and looking specifically at the distribution list, I found that the message was addressed to two different SMTP addresses within our organization. One of those addresses has been deleted, hence the NDR. The other addressee was a hidden DL that was created after 11/8/01, at the suggestion of one Mr. Louis Joyce, in a separate thread to someone else (see RE: email to a deleted mailbox). Now...there are three ways I can think of that someone has gotten ahold of our enumerated GAL: 1. They enumerated our GAL through the OWA, ala MS01-047 : OWA Function Allows Unauthenticated User to Enumerate Global Address List. This is Q307195. We have grepped the log files as far back as 07/01/01 on the OWA server, and can find no indication that this vulnerability has been exploited on our server. In the Add/Remove Programs, it doesn't show this hotfix as having been installed, but it does show hotfix Q313576 as having been installed and Q307195 is an included hotfix (I would say we could rule that option out). 2. We are one site in a two site organization, with the other site being the parent site. Therefore, all recipients in our GAL replicate to their GAL. So...the exploit described in #1 could be performed from their OWA site if the patch hasn't been applied, with the same results (Don't know their status yet). 3. Someone from within our company or theirs has enumerated the GAL and is selling it to outside sources. Have I left any possibilities out? James H (Jim) Blunt Network / Microsoft Exchange Admin. Network Infrastructure Group Bechtel Hanford, Inc. 509-372-9188 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA Enumeration Question
If you send to that DL in the to line or the cc line of a message, the recipients then have the SMTP address of that message right? And if someone forwards the message the next recipeints potentially have it to. If the DL has never been used, and someone has the address I guess I might be concerned. -- Chris Scharff The Mail Resource Center http://www.Mail-Resources.com The Home Page for Mail Administrators. Software pick of the month (Extended Reminders): http://www.slovaktech.com/extendedreminders.htm Exchange FAQs: http://www.swinc.com/resource/exchange.htm -Original Message- From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]] Sent: Monday, January 07, 2002 5:12 PM To: Exchange Discussions Subject: RE: OWA Enumeration Question Chris, 1. Not an obvious name. 2. duh It did include an external SMTP addr \duh However, the DL was hidden from the GAL, as was the membership of the DL. 3. Dictionary generated listing wouldn't have worked for reason #1. 4. I COULD stand to lose 30 pounds. While fighting spammers does provide an amusing distraction from time to time, this is not what bothers me. What bothers me is the fact that they evidently got ahold of *every other* SMTP address in the GAL, as evidenced by the fact that they know what the addr is to this one hidden DL that is less than 2 months old. TIA O Great Exchang Yoda ;o) _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA Enumeration Question
That's exactly the situation...it's never been used to send ANY mail. Any ideas on what I should do at this point? -Original Message- From: Chris Scharff [mailto:[EMAIL PROTECTED]] Sent: Monday, January 07, 2002 3:16 PM To: Exchange Discussions Subject: RE: OWA Enumeration Question If you send to that DL in the to line or the cc line of a message, the recipients then have the SMTP address of that message right? And if someone forwards the message the next recipeints potentially have it to. If the DL has never been used, and someone has the address I guess I might be concerned. -- Chris Scharff The Mail Resource Center http://www.Mail-Resources.com The Home Page for Mail Administrators. Software pick of the month (Extended Reminders): http://www.slovaktech.com/extendedreminders.htm Exchange FAQs: http://www.swinc.com/resource/exchange.htm -Original Message- From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]] Sent: Monday, January 07, 2002 5:12 PM To: Exchange Discussions Subject: RE: OWA Enumeration Question Chris, 1. Not an obvious name. 2. duh It did include an external SMTP addr \duh However, the DL was hidden from the GAL, as was the membership of the DL. 3. Dictionary generated listing wouldn't have worked for reason #1. 4. I COULD stand to lose 30 pounds. While fighting spammers does provide an amusing distraction from time to time, this is not what bothers me. What bothers me is the fact that they evidently got ahold of *every other* SMTP address in the GAL, as evidenced by the fact that they know what the addr is to this one hidden DL that is less than 2 months old. TIA O Great Exchang Yoda ;o) _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA Enumeration Question
Change the SMTP address of the DL. :) -- Chris Scharff The Mail Resource Center http://www.Mail-Resources.com The Home Page for Mail Administrators. Software pick of the month (Extended Reminders): http://www.slovaktech.com/extendedreminders.htm Exchange FAQs: http://www.swinc.com/resource/exchange.htm hat's exactly the situation...it's never been used to send ANY mail. Any ideas on what I should do at this point? -Original Message- From: Chris Scharff [mailto:[EMAIL PROTECTED]] Sent: Monday, January 07, 2002 3:16 PM To: Exchange Discussions Subject: RE: OWA Enumeration Question If you send to that DL in the to line or the cc line of a message, the recipients then have the SMTP address of that message right? And if someone forwards the message the next recipeints potentially have it to. If the DL has never been used, and someone has the address I guess I might be concerned. -- Chris Scharff The Mail Resource Center http://www.Mail-Resources.com The Home Page for Mail Administrators. Software pick of the month (Extended Reminders): http://www.slovaktech.com/extendedreminders.htm Exchange FAQs: http://www.swinc.com/resource/exchange.htm _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA Enumeration Question
I removed it about 1/2 an hour ago. What every other addy in the org? :o( -Original Message- From: Chris Scharff [mailto:[EMAIL PROTECTED]] Sent: Monday, January 07, 2002 3:39 PM To: Exchange Discussions Subject: RE: OWA Enumeration Question Change the SMTP address of the DL. :) -- Chris Scharff The Mail Resource Center http://www.Mail-Resources.com The Home Page for Mail Administrators. Software pick of the month (Extended Reminders): http://www.slovaktech.com/extendedreminders.htm Exchange FAQs: http://www.swinc.com/resource/exchange.htm hat's exactly the situation...it's never been used to send ANY mail. Any ideas on what I should do at this point? -Original Message- From: Chris Scharff [mailto:[EMAIL PROTECTED]] Sent: Monday, January 07, 2002 3:16 PM To: Exchange Discussions Subject: RE: OWA Enumeration Question If you send to that DL in the to line or the cc line of a message, the recipients then have the SMTP address of that message right? And if someone forwards the message the next recipeints potentially have it to. If the DL has never been used, and someone has the address I guess I might be concerned. -- Chris Scharff The Mail Resource Center http://www.Mail-Resources.com The Home Page for Mail Administrators. Software pick of the month (Extended Reminders): http://www.slovaktech.com/extendedreminders.htm Exchange FAQs: http://www.swinc.com/resource/exchange.htm _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA Enumeration Question
Do not underestimate the power of a dictionary attack. Especially if the alias of the DL is less than 8 characters long, it is not hard to manage a brute-force attack. -Original Message- From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]] Sent: Monday, January 07, 2002 3:12 PM To: Exchange Discussions Subject: RE: OWA Enumeration Question Chris, 1. Not an obvious name. 2. duh It did include an external SMTP addr \duh However, the DL was hidden from the GAL, as was the membership of the DL. 3. Dictionary generated listing wouldn't have worked for reason #1. 4. I COULD stand to lose 30 pounds. While fighting spammers does provide an amusing distraction from time to time, this is not what bothers me. What bothers me is the fact that they evidently got ahold of *every other* SMTP address in the GAL, as evidenced by the fact that they know what the addr is to this one hidden DL that is less than 2 months old. TIA O Great Exchang Yoda ;o) -Original Message- From: Chris Scharff [mailto:[EMAIL PROTECTED]] Sent: Monday, January 07, 2002 2:24 PM To: Exchange Discussions Subject: RE: OWA Enumeration Question Other possibilities. The DL name is an obvious one that someone would guess (e.g. all@ sales@ hr@). The DL includes an external recipient and someone sent to the DL with it in the to or from field of a message. The address was created through a dictionary generated spam mailing. Someone in your org knows how to help you lose 30lbs in 30 days. -- Chris Scharff The Mail Resource Center http://www.Mail-Resources.com The Home Page for Mail Administrators. Software pick of the month (Extended Reminders): http://www.slovaktech.com/extendedreminders.htm Exchange FAQs: http://www.swinc.com/resource/exchange.htm Chris -- Chris Scharff Senior Sales Engineer MessageOne If you can't measure, you can't manage! -Original Message- From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]] Sent: Monday, January 07, 2002 4:22 PM To: Exchange Discussions Subject: OWA Enumeration Question Ok, here's the situation: Win2k SP2 with Exchange OWA 5.5 SP4+2 and IIS 5.0 In the past couple of weeks, we have been getting hit VERY hard by SPAM. It didn't really trip my trigger until I saw one particular NDR in my postmaster mailbox this morning. Upon opening and looking specifically at the distribution list, I found that the message was addressed to two different SMTP addresses within our organization. One of those addresses has been deleted, hence the NDR. The other addressee was a hidden DL that was created after 11/8/01, at the suggestion of one Mr. Louis Joyce, in a separate thread to someone else (see RE: email to a deleted mailbox). Now...there are three ways I can think of that someone has gotten ahold of our enumerated GAL: 1. They enumerated our GAL through the OWA, ala MS01-047 : OWA Function Allows Unauthenticated User to Enumerate Global Address List. This is Q307195. We have grepped the log files as far back as 07/01/01 on the OWA server, and can find no indication that this vulnerability has been exploited on our server. In the Add/Remove Programs, it doesn't show this hotfix as having been installed, but it does show hotfix Q313576 as having been installed and Q307195 is an included hotfix (I would say we could rule that option out). 2. We are one site in a two site organization, with the other site being the parent site. Therefore, all recipients in our GAL replicate to their GAL. So...the exploit described in #1 could be performed from their OWA site if the patch hasn't been applied, with the same results (Don't know their status yet). 3. Someone from within our company or theirs has enumerated the GAL and is selling it to outside sources. Have I left any possibilities out? James H (Jim) Blunt Network / Microsoft Exchange Admin. Network Infrastructure Group Bechtel Hanford, Inc. 509-372-9188 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
