Home > Ask the Microsoft Exchange Experts > Richard Luckett: Spam and Security Questions & Answers > Loophole for relaying spammers
Ask The Exchange Expert: Questions & Answers
EMAIL THIS

Loophole for relaying spammers

Richard Luckett EXPERT RESPONSE FROM: Richard Luckett

Pose a Question
Other Exchange Categories
Meet all Exchange Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 24 June 2005
We have an Exchange 2000 server running and our Internet Service Provider informed us that our server has been spamming lately.

We have:

Disabled open relaying
Checked that there are no open ports
Installed Symantec MailSecurity
Updated all necessary security updates/patches from Microsoft
Disabled Guest account

What other loopholes are there?


>

VIEW MEMBER FEEDBACK TO THIS ASK THE EXPERT Q&A.

The big loophole you have remaining is your password policy. I know that you are asking yourself "what does that have to do with spam?" Well, as it turns out, a great deal.

If a spammer can compromise a legitimate account in your company, it is possible for them to relay off of your SMTP servers using a SMTP AUTH attack. In simple terms, this means relaying mail (spamming) with a valid, albeit compromised, account.

The best protection against this is a strong password policy with strict enforcement of that policy. You might also consider implementing "passphrases" -- like 'You can't always get what you want' -- as they are easy to remember, yet extremely complex for a brut force attack to crack. Of course, if this has already occurred, then you need to enforce companywide password change, along with the stronger password policy.

I would also recommend that you periodically test your external SMTP host, with a tool such as telnet, to see if you can relay off it. This is important because you don't want to just take your Internet Service Provider's word for it. It is entirely possible that a spammer has hijacked your SMTP domain name and used it for sending out spam. Of course, if they do this, it looks like it came from your SMTP domain.

Doing an NSLookup on the IP address in the header of the spam will reveal, however, that it did not come from your servers. This is very common practice amongst spammers. And sometimes leads to the erroneous reporting of e-mail abuse to your Internet Service Provider. Most Internet Service Provider's will confirm that the mail is indeed from your servers before putting you on notice, but there is always that chance they won't do their due diligence.

MEMBER FEEDBACK TO THIS ASK THE EXPERT Q&A:

I ran into the same issue. I struggled to find how the spam was getting through for a long time. Finally, I had to call PSS at Microsoft. It turns out that there is an exploit/bug in Exchange 2000 server that spammers can use to send e-mail to nonexistent addresses. When they get the non-delivery report, they modify headers to send spam. The only way to turn it off is to turn off NDRs for the Exchange server.
—Dave K.

Do you have comments on this Ask the Expert Q&A? Let us know.
Related information from SearchExchange.com:

  • Tip: Passphrases and Exchange security
  • Reference Center: Spam prevention and management
  • Chapter Download: Would the real sender please stand up?


    • Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



    RELATED CONTENT
    Microsoft Exchange Server Password Management
    Lock down direct file access and protect OWA users
    Configure a POP3 connector to receive external email on SBS 2003
    Manage user rights and access to Outlook Web Access (OWA) mailboxes
    Unsecured devices worry IT professionals
    Protecting Outlook Web Access from keystroke loggers
    Creating one password for both local and Microsoft Outlook user accounts
    'Error: Domain not available' after password change
    Multiple new Sober variants spy on passwords
    Securing Exchange mailboxes from internal attacks
    Password prompt when attempting to view a replicated public folder

    Spam and virus protection
    How to install Forefront Security for Exchange Server
    Block Web beacons and protect OWA users from spam
    Controlling spam in Exchange 2007 at the edge transport server level
    How file-level antivirus software can harm your Exchange Server
    Problems with email spoofing on SBS 2003
    Exchange Insider e-zine
    Securing your Exchange Server 2007 journaling archives
    Troubleshooting Outlook Web Access issues on a 64-bit system
    Microsoft Exchange Server security dos and don'ts
    Troubleshooting Microsoft Exchange Server Event ID error 6009
    Spam and virus protection Research

    Richard Luckett: Spam and Security
    How effective is tracking the IP address of an email hacker?
    Why can't I grant users permissions to an Exchange public folder?
    How can I configure Exchange IMF to allow an IP address or DNS?
    Tool helps identify inbound Exchange Server email flow issues
    Configure SMTP relay restrictions in Exchange Server 2003 to stop spam
    How to lock down an SMTP relay to prevent spam in Exchange Server 2003
    Connecting an Apple iPhone to Exchange Server on Windows SBS 2003
    Why does a security alert pop up when accessing Outlook Web Access?
    Exchange email sent to a domain using SPF authentication is returned
    Selectively set email permissions for Exchange groups

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    backscatter spam  (SearchExchange.com)
    greylist  (SearchExchange.com)
    image spam  (SearchExchange.com)
    KnujOn  (SearchExchange.com)
    Sender ID  (SearchExchange.com)
    spam confidence level  (SearchExchange.com)
    spamblock  (SearchExchange.com)
    spim  (SearchExchange.com)
    tarpitting  (SearchExchange.com)
    Vouch by Reference (VBR)  (SearchExchange.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice



    Outlook Web Access (OWA) Tips and Advice
    HomeNewsTopicsITKnowledge ExchangeTipsAsk the ExpertsMultimediaWhite PapersIT Downloads
    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    SEARCH 
    TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Site Map




    All Rights Reserved, Copyright 2004 - 2009, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts