Mail server flaw opens Exchange to spam

Cnet News ^ | 11/14/03 | Robert Lemos

[Salo]

Administrators of e-mail systems based on Microsoft's Exchange might have spammers using their servers to send unsolicited bulk e-mail under their noses, a consultant warned this week.

Aaron Greenspan, a Harvard University junior and president of consulting company Think Computer, published a white paper Thursday detailing the problem, discovered when a client's server was found to be sending spam. Greenspan's research concluded that Exchange 5.5 and 2000 can be used by spammers to send anonymous e-mail. He says even though software Microsoft provides on its site certifies that the server is secure, it's not.

"If the guest account is enabled (on Exchange 5.5 and 2000), even if your login fails, you can send mail, because the guest account is there as a catchall," he said. "Even if you think you've done everything (to secure the server), you are still open to spammers."

The guest account is a way for administrators to let visitors use a mail server anonymously, but because of security issues, the feature is generally not enabled. Exchange servers that had been infected by the Code Red worm and subsequently cleaned will still have the guest account enabled, Greenspan said.

There are dozens of messages--with subject lines such as "Open relay problem" and "We are sending spam?"--on Microsoft's Exchange Administration newsgroup, sent by information system managers who haven't been able to staunch the flow of spam from their servers.

Microsoft, however, said the problem is relatively minor and that the company hasn't had many complaints.

"This particular method of sending spam relies on specifically configured servers or is leveraging weaknesses in the protocol itself," the software giant said in a statement issued in response to questions from CNET News.com. "The fact is that Microsoft has not received a lot of calls from customers that have experienced problems detailed by Think Computer."

Moreover, the company said the issue doesn't affect the latest version of the software, Exchange Server 2003.

Greenspan, however, argued that the problem has accounted for a large amount of unsolicited e-mail. He estimates that at least 100,000 messages spammers in China sent went through his client's server before he stopped the problem. He added that the issue is causing headaches for Exchange administrators.

"It is really inexcusable for a company that claims security is its top priority," he said.

[Salo]

For discussion.

[Salo]

Ping.

[martin_fierro]

FREE PC PROTECTION: (Not an exhaustive list. Your results may vary. Void where prohibited. For entertainment purposes only. No wagering, please. Whattayawantfernuthin'.)

Alternative browsers: Mozilla Opera AVG Anti-Virus Free Edition: Free anti-viral protection Popup ad killers: Bayden Systems Popup Popper: Blocks popup ads well in MSIE Shoot the Messenger: Close that friggin' Messenger in Windows XP Spyware removers: Spywareblaster - Prevents Spyware from being installed in the first place Spybot S&D AdAware MailWasher: Good for pre-screening & bouncing SPAM Windows Update: At least install the critical ones ZoneAlarm: Excellent Firewall Test your firewall from without with ShieldsUP! Test your firewall from within with LeakTest

[Bush2000]

For God's sake, people, disable the Guest account!!!!

[CaptBlack]

"If the guest account is enabled (on Exchange 5.5 and 2000), even if your login fails, you can send mail, because the guest account is there as a catchall," he said. "Even if you think you've done everything (to secure the server), you are still open to spammers."

That says it all right there. He says it right there:
"IF THE GUEST ACCOUNT IS ENABLED"!!!

Any "admin" STUPID enough to enable the guest account on a server open to the Internet deserves not only to have his Exchange server "used", but deserves to go out the door with the resulting flood of spam. That's like complaining that the ability to allow write permissions for the "anonymous" user on an FTP folder is a "security flaw". Give me a break!

This is the most trumped up "security issue" I've seen to date. If some idiot doesn't know how to set up a secure Exchange Server then he shouldn't be touching the machine. This isn't a security flaw; it's a profound lack of competence on the part of the clown that doesn't follow WIDELY KNOWN best practices.

[justlurking]

Any "admin" STUPID enough to enable the guest account on a server open to the Internet deserves not only to have his Exchange server "used", but deserves to go out the door with the resulting flood of spam.

I presume that the guest account isn't enabled by default. But, one of the other points in the article is that the CodeRed worm apparently enables the guest account. If it got loose behind a firewall and managed to compromise the Exchange server, it may have been left enabled after subsequent cleanup efforts.

[Looking for Diogenes]

Why do software companies even put in these 'guest' accounts anymore? The accounts inevitably seem to cause problems. They remind me of those "self-destruct" buttons that appear so often in sci-fi or action movies.

"Whatever you don't press this button!"

[billbears]

bookmark

[battousai]

As most have noted previously must be a slow news day over at CNET when not disabling your guest account is a major flaw in exchange :/

[Salo]

I wish you could just delete the damned thing.

As most have noted previously must be a slow news day over at CNET when not disabling your guest account is a major flaw in exchange :/

[general_re]

Used to be a little tool for NT4 that you could use to delete the guest user outright, but AFAIK, there's nothing like that for 2k or XP....