Posted on 11/18/2003 8:56:26 AM PST by Salo
Administrators of e-mail systems based on Microsoft's Exchange might have spammers using their servers to send unsolicited bulk e-mail under their noses, a consultant warned this week.
Aaron Greenspan, a Harvard University junior and president of consulting company Think Computer, published a white paper Thursday detailing the problem, discovered when a client's server was found to be sending spam. Greenspan's research concluded that Exchange 5.5 and 2000 can be used by spammers to send anonymous e-mail. He says even though software Microsoft provides on its site certifies that the server is secure, it's not.
"If the guest account is enabled (on Exchange 5.5 and 2000), even if your login fails, you can send mail, because the guest account is there as a catchall," he said. "Even if you think you've done everything (to secure the server), you are still open to spammers."
The guest account is a way for administrators to let visitors use a mail server anonymously, but because of security issues, the feature is generally not enabled. Exchange servers that had been infected by the Code Red worm and subsequently cleaned will still have the guest account enabled, Greenspan said.
There are dozens of messages--with subject lines such as "Open relay problem" and "We are sending spam?"--on Microsoft's Exchange Administration newsgroup, sent by information system managers who haven't been able to staunch the flow of spam from their servers.
Microsoft, however, said the problem is relatively minor and that the company hasn't had many complaints.
"This particular method of sending spam relies on specifically configured servers or is leveraging weaknesses in the protocol itself," the software giant said in a statement issued in response to questions from CNET News.com. "The fact is that Microsoft has not received a lot of calls from customers that have experienced problems detailed by Think Computer."
Moreover, the company said the issue doesn't affect the latest version of the software, Exchange Server 2003.
Greenspan, however, argued that the problem has accounted for a large amount of unsolicited e-mail. He estimates that at least 100,000 messages spammers in China sent went through his client's server before he stopped the problem. He added that the issue is causing headaches for Exchange administrators.
"It is really inexcusable for a company that claims security is its top priority," he said.
FREE PC PROTECTION: (Not an exhaustive list. Your results may vary. Void where prohibited. For entertainment purposes only. No wagering, please. Whattayawantfernuthin'.) |
|
|
That says it all right there. He says it right there:
"IF THE GUEST ACCOUNT IS ENABLED"!!!
Any "admin" STUPID enough to enable the guest account on a server open to the Internet deserves not only to have his Exchange server "used", but deserves to go out the door with the resulting flood of spam. That's like complaining that the ability to allow write permissions for the "anonymous" user on an FTP folder is a "security flaw". Give me a break!
This is the most trumped up "security issue" I've seen to date. If some idiot doesn't know how to set up a secure Exchange Server then he shouldn't be touching the machine. This isn't a security flaw; it's a profound lack of competence on the part of the clown that doesn't follow WIDELY KNOWN best practices.
I presume that the guest account isn't enabled by default. But, one of the other points in the article is that the CodeRed worm apparently enables the guest account. If it got loose behind a firewall and managed to compromise the Exchange server, it may have been left enabled after subsequent cleanup efforts.
"Whatever you don't press this button!"
As most have noted previously must be a slow news day over at CNET when not disabling your guest account is a major flaw in exchange :/
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.