Firewall Wizards mailing list archives
Mail server security (Was: Re: [OT] tcpdump parsing)
From: Damian Gerow <damian () sentex net>
Date: Wed, 8 Oct 2003 18:21:12 -0400
Thus spake Austin, Greg (gaustin () RKON com) [08/10/03 18:11]:
What sort of mail system is it? Does the system in question support relaying for authenticated hosts? If so I've seen a recent spate of people who aren't configured to relay being used as relays when configured this way.
I've seen all *sorts* of different ways to relay spam (I'm an admin at a small ISP). One of them is abusing the AUTH LOGIN bug, then there's open proxies and relays, trojans, etc. What's got me stumped is that they have *no* open ports, other than the default Windows port (again, three port scans confirmed this). Which is why I moved to the network dump. This is /not/ a mail system in question, it's a home users connection.
I've seen this a half dozen times in the last few months, and in every case I've found successful bogus authlogins from hosts in China and other odd places in my sniffer traces. Usually the local admin account on the box had a brilliant password like "administrator" or <blank>. Incidentally, these were all Exchange boxes patched up to the latest. Can't blame MS for the poor password choices though. Anyway, in case
I've found this as well in a number of locations. It's a right PITA, trying to find an open relay where one doesn't exist (technically). I've chastised a couple of remote sites for poor password choices. This makes me wonder if the SMTP AUTH holy grail that's being toted in inet-access and NANOG is more trouble than it will be worth. I'm all for authenticated SMTP, but until the security industry can find a way for end users to have a simple, secure way of authenticating themselves, I just don't think it's going to cut it. It's one thing for a hax0r to break in to an end users account and start faking newsgroup/Yahoo! Groups posts as the user. It's another entirely when someone brute forces your user base (and in 10k users, they're *bound* to find a couple of easy-to-guess passwords) and starts relaying spam through you like there's no tomorrow. And this is no home connection, either. If they SLIP/SSH into a Unix prompt at another ISP, they could have 50+Mbps at their hands for relaying spam. That's a *heck* of a lot of e-mail. Yes, yes, I know. Secure password policy. A debate I don't want to enter right now.
this applied to your situation I thought I'd chip in with this bit. If it doesn't apply, ignore me (a good choice in most cases anyway).
Ditto. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: [OT] tcpdump parsing, (continued)
- Re: [OT] tcpdump parsing Damian Gerow (Oct 08)
- Re: [OT] tcpdump parsing Paul Robertson (Oct 11)
- Spamming, 'hidden' mail server Damian Gerow (Oct 08)
- Re: Spamming, 'hidden' mail server Jeff Bollinger (Oct 15)
- Re: Spamming, 'hidden' mail server Damian Gerow (Oct 17)
- Re: [OT] tcpdump parsing Damian Gerow (Oct 11)
- Re: [OT] tcpdump parsing hermit921 (Oct 13)
- Re: [OT] tcpdump parsing Damian Gerow (Oct 08)
- Re: [OT] tcpdump parsing Damian Gerow (Oct 08)
- Mail server security (Was: Re: [OT] tcpdump parsing) Damian Gerow (Oct 11)