Mail server security (Was: Re: [OT] tcpdump parsing)

[Damian Gerow <damian () sentex net>]

Thus spake Austin, Greg (gaustin () RKON com) [08/10/03 18:11]:
> What sort of mail system is it?  Does the system in question support
> relaying for authenticated hosts?  If so I've seen a recent spate of
> people who aren't configured to relay being used as relays when
> configured this way.

I've seen all *sorts* of different ways to relay spam (I'm an admin at a
small ISP).  One of them is abusing the AUTH LOGIN bug, then there's open
proxies and relays, trojans, etc.

What's got me stumped is that they have *no* open ports, other than the
default Windows port (again, three port scans confirmed this).  Which is why
I moved to the network dump.

This is /not/ a mail system in question, it's a home users connection.

> I've seen this a half dozen times in the last few months, and in every
> case I've found successful bogus authlogins from hosts in China and
> other odd places in my sniffer traces.  Usually the local admin account
> on the box had a brilliant password like "administrator" or <blank>.
> Incidentally, these were all Exchange boxes patched up to the latest.
> Can't blame MS for the poor password choices though.  Anyway, in case

I've found this as well in a number of locations.  It's a right PITA, trying
to find an open relay where one doesn't exist (technically).  I've chastised
a couple of remote sites for poor password choices.

This makes me wonder if the SMTP AUTH holy grail that's being toted in
inet-access and NANOG is more trouble than it will be worth.  I'm all for
authenticated SMTP, but until the security industry can find a way for end
users to have a simple, secure way of authenticating themselves, I just
don't think it's going to cut it.

It's one thing for a hax0r to break in to an end users account and start
faking newsgroup/Yahoo! Groups posts as the user.  It's another entirely
when someone brute forces your user base (and in 10k users, they're *bound*
to find a couple of easy-to-guess passwords) and starts relaying spam
through you like there's no tomorrow.

And this is no home connection, either.  If they SLIP/SSH into a Unix prompt
at another ISP, they could have 50+Mbps at their hands for relaying spam.
That's a *heck* of a lot of e-mail.

Yes, yes, I know.  Secure password policy.  A debate I don't want to enter
right now.

> this applied to your situation I thought I'd chip in with this bit.  If
> it doesn't apply, ignore me (a good choice in most cases anyway).

Ditto.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards