Mail server flaw opens Exchange to spam

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-7355_3-5107904.html

By Robert Lemos 
Staff Writer, CNET News.com
November 14, 2003

Administrators of e-mail systems based on Microsoft's Exchange might 
have spammers using their servers to send unsolicited bulk e-mail 
under their noses, a consultant warned this week. 

Aaron Greenspan, a Harvard University junior and president of 
consulting company Think Computer, published a white paper Thursday 
detailing the problem, discovered when a client's server was found to 
be sending spam. Greenspan's research concluded that Exchange 5.5 and 
2000 can be used by spammers to send anonymous e-mail. He says even 
though software Microsoft provides on its site certifies that the 
server is secure, it's not. 

"If the guest account is enabled (on Exchange 5.5 and 2000), even if 
your login fails, you can send mail, because the guest account is 
there as a catchall," he said. "Even if you think you've done 
everything (to secure the server), you are still open to spammers." 

The guest account is a way for administrators to let visitors use a 
mail server anonymously, but because of security issues, the feature 
is generally not enabled. Exchange servers that had been infected by 
the Code Red worm and subsequently cleaned will still have the guest 
account enabled, Greenspan said. 

There are dozens of messages--with subject lines such as "Open relay 
problem" and "We are sending spam?"--on Microsoft's Exchange 
Administration newsgroup, sent by information system managers who 
haven't been able to staunch the flow of spam from their servers. 

Microsoft, however, said the problem is relatively minor and that the 
company hasn't had many complaints. 

"This particular method of sending spam relies on specifically 
configured servers or is leveraging weaknesses in the protocol 
itself," the software giant said in a statement issued in response to 
questions from CNET News.com. "The fact is that Microsoft has not 
received a lot of calls from customers that have experienced problems 
detailed by Think Computer." 

Moreover, the company said the issue doesn't affect the latest version 
of the software, Exchange Server 2003. 

Greenspan, however, argued that the problem has accounted for a large 
amount of unsolicited e-mail. He estimates that at least 100,000 
messages spammers in China sent went through his client's server 
before he stopped the problem. He added that the issue is causing 
headaches for Exchange administrators. 

"It is really inexcusable for a company that claims security is its 
top priority," he said. 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.