Security Incidents mailing list archives
Re: E-Mail relay or break in?
From: Missy.Koslosky () USI NET (Koslosky, Missy)
Date: Fri, 11 Feb 2000 01:27:26 -0500
You're correct - it was a reg hack before SP1 for 5.5 (SP1 added it to the GUI) - I'm not certain it works for 5.0 (or 4.0 for that matter), but it's easy enough to test. The MS KB article that explains how to do this is Q193922 - if I had a 4.0 CD around, I'd test it for you, but I'm sorely lacking in old software - that's what happens when your company is <2 years old... In any case, it's easy enough to test if you've got an older install around. There are lots of reasons to uprade to 5.5 - this being a REALLY good one. Missy Koslosky http://www.usi.net -----Original Message----- From: Nathan Nichols [mailto:nathan () MMIND NET] Sent: Wednesday, February 09, 2000 1:19 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: E-Mail relay or break in? I believe that one of the Service Packs for Exchange 5.0 and Exchange 5.5 adds relay blocking (somebody correct me if I'm incorrect). I'd go grab SP2 for 5.5 and give it a shot. ----- Nathan Nichols Unix Systems Administrator MasterMind Internet Services 918-743-6161 -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On Behalf Of JJ Gray Sent: Wednesday, February 09, 2000 5:40 AM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: E-Mail relay or break in? Strange... if I wanted to test that a mail server would allow open relay I would make sure I could get the mail myself, to a dummy hotmail/yahoo account... but your example is within a single domain. AFAIK Exchange cannot be configured to prevent open relay, also the main thing I noticed in the SMTP commands is the empty HELO command... RFC 821 says that this should identify the sender SMTP address to the receiver SMTP. Ideally the mail server should reject an empty HELO or at least complain about it not being the source IP of the connection ( which should also be logged ). The rest of the SMTP commands are legit though. It could just be a wind-up *shrug* Bear in mind that spoofed email can be dangerous - if I spoof a mail from your CEO to you, asking sensitive information, but have the reply-to address to hacker () example com ( which you don't see on most email clients ! ) then you will send me the info, thinking it will go to your CEO... Digital signatures and/or encryption can help with this. Regards, JJ Sed quis custodiet ipsos custodes ? ----- Original Message ----- From: Seth Georgion <sysadmin () SASSPRODUCTIONS COM> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Wednesday, February 09, 2000 2:56 AM Subject: E-Mail relay or break in? [snip]
And here is the log of what the person typed in word for word. 2/8/00 3:14:42 PM : A connection was accepted from GATE. 2/8/00 3:14:42 PM : <<< IO: |HELO | 2/8/00 3:14:42 PM : <<< HELO 2/8/00 3:14:43 PM : >>> 250 OK
[snip]
Current thread:
- Re: E-Mail relay or break in? Bogac, Kevin (Feb 09)
- <Possible follow-ups>
- Re: E-Mail relay or break in? Koslosky, Missy (Feb 09)
- Re: E-Mail relay or break in? Koslosky, Missy (Feb 10)