Jump to content
Sign in to follow this  
foxdn

Please help me figure out

Recommended Posts

my IP is 207.193.173.85

listing shows only spamtrap, no reports. I've read most of the FAQ's. This is all kinda confusing to me. I was on an open relay black list a few weeks ago. I've patched windows and exchange 2000 and enabled strong passwords. Got off the orbl. have ran tests and am reasonably sure we don't have an open relay.

But I can't seem to get off Spamcop's list. We have clients we can't respond to and we're losing business. Please help me figure out what I'm missing, doing wrong, or whatever. Any comments, questions, or instructions that will lead me in the right direction would be greatly appreciated.

Thanks!

Share this post


Link to post
Share on other sites
my IP is 207.193.173.85 

listing shows only spamtrap, no reports. I've read most of the FAQ's. This is all kinda confusing to me. I was on an open relay black list a few weeks ago. I've patched windows and exchange 2000 and enabled strong passwords.  Got off the orbl.  have ran tests and am reasonably sure we don't have an open relay. 

But I can't seem to get off Spamcop's list.  We have clients we can't respond to and we're losing business.  Please help me figure out what I'm  missing, doing wrong, or whatever.  Any comments, questions, or instructions that will lead me in the right direction would be greatly appreciated.

A null administrator password is anything but strong. I would suggest changing it right away.

If you don't require remote users to be able to relay mail through your server, you should turn off the option that allows authenticated users not in the list of authorised IP addresses to relay. This will stop spammers having any chance of using a similar exploit in the future.

Share this post


Link to post
Share on other sites

207.193.173.85

220 lsf-exchange.lonestarfasteners.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Tue, 19 Oct 2004 12:51:31 -0500

Looks like an SMTP AUTH Hack. The spammers have more control of your machine than you do.

Here is some of the junk coming from your insecure machine......

From scoldedhung[at]netzero.net Mon Oct 18 10:50:48 2004

Delivery-date: Mon, 18 Oct 2004 10:50:48 -0400

Received: from [207.193.173.85] (helo=lsf-exchange.lonestarfasteners.com)

by mail.victim.example with esmtp (Exim 4.41)

id 1CJYqW-0006ho-1H

for spamvictim; Mon, 18 Oct 2004 10:50:48 -0400

Received: from abelson ([61.173.50.17] unverified) by lsf-exchange.lonestarfasteners.com with Microsoft SMTPSVC(5.0.2195.6713);

Mon, 18 Oct 2004 09:50:05 -0500

From: "Christopher Khosrowjah"<scoldedhung[at]netzero.net>

To: spamvictim

Subject: FIND THE MED1lCAT|0N YOU ARE l0OK|NG F0R QUICKI||1Y!

Mime-Version: 1.0

Date: 18 Oct 2004 09:50:07 -0500

Take the machine off the internet until you secure it.

Share this post


Link to post
Share on other sites
A null administrator password is anything but strong. I would suggest changing it right away.

If you don't require remote users to be able to relay mail through your server, you should turn off the option that allows authenticated users not in the list of authorised IP addresses to relay. This will stop spammers having any chance of using a similar exploit in the future.

18987[/snapback]

I thought I'd covered them. Can you tell what I missed?

Share this post


Link to post
Share on other sites

Does "enabled strong passwords" actually equate to "am using strong passwords" ..???? There's an ocean of difference there. More often than not, the usual "final" solution for the use of an Exchange server on the Internet is to place a *NIX box in between ... let the *NIX box handle the flow of stuff to/from the net (to include firewalling both sides of that connection), leaving the Exchange box to do what it was (allegedly) designed to do .. handle the internal distribution of e-mail. This is not a *NIX rant here, just repeating many other stories of actual solutions.

Share this post


Link to post
Share on other sites
I thought I'd covered them.  Can you tell what I missed?

First, set an administrator password. This is the local administrator account I'm talking about, not the domain account. Do it now. Run to the machine and do it. Come back and read the rest of the reply once the machine has a password set.

How to disable SMTP AUTH from one of the links in the FAQ:

To disable authentication on these servers, start ESM, and go to Organization, Administrative Groups, Organizational Unit, Servers, ServerName, Protocols, SMTP, and right-click the Default SMTP Virtual Server. Select Properties, open the Access tab, and click Authentication. Leave Anonymous access enabled, but clear the Basic authentication and Integrated Windows Authentication checkboxes. Clearing these checkboxes essentially disables the Auth command on the SMTP server. Enable relaying for other internal Exchange Servers. If you have other internal Exchange Servers, make sure to enable relaying for these servers. On the Access tab, click Relay, select Only the List Below, and explicitly list the internal mail servers that are allowed to relay to this mail server. This action ensures that the internal mail servers can send mail to this server.
Edited by GraemeL

Share this post


Link to post
Share on other sites
First, set an administrator password. This is the local administrator account I'm talking about, not the domain account. Do it now. Run to the machine and do it. Come back and read the rest of the reply once the machine has a password set.

How to disable SMTP AUTH from one of the links in the FAQ:

18996[/snapback]

HOLY #$%* ! I can't believe I missed that! I'm embarassed. I've got a VP with a handspring device; will disabling SMTP AUTH cut off his email?

Share this post


Link to post
Share on other sites
HOLY #$%*  !  I can't believe I missed that!  I'm embarassed. I've got a VP with a handspring device; will disabling SMTP AUTH cut off his email?

Even the best make mistakes sometimes. Glad to see you have it plugged now. You should (hopefully) drop off the list in 48 hours as I couldn't find any other weak accounts on your box.

If the VP connects to your own network, you don't need AMTP AUTH. If he connects to another ISP/service, then you probably need to leave it enabled. Just make sure that when you install any additional software, that it doesn't create any accounts with weak passwords and you should be OK.

Share this post


Link to post
Share on other sites
HOLY #$%*  !  I can't believe I missed that!  I'm embarassed.

Not wishing to upset you, but damn .. thanks for that feedback! Imagining the look that went along with that staement has caused the first really good laugh here in weeks. I feel for your pain and am sorry for the learning curve you had to go through, but again ... Thanks! <g>

Share this post


Link to post
Share on other sites
Even the best make mistakes sometimes. Glad to see you have it plugged now. You should (hopefully) drop off the list in 48 hours as I couldn't find any other weak accounts on your box.

If the VP connects to your own network, you don't need AMTP AUTH. If he connects to another ISP/service, then you probably need to leave it enabled. Just make sure that when you install any additional software, that it doesn't create any accounts with weak passwords and you should be OK.

19003[/snapback]

Thank you for your knowledge and assistance! I appreciate your working with me.

Share this post


Link to post
Share on other sites

At present, http://www.spamcop.net/w3m?action=checkblo...=207.193.173.85 reports "207.193.173.85 not listed in bl.spamcop.net". HOWEVER:

Your mailserver appears to be running Microsoft Exchange Server 5.0 - according to MAPS:

Microsoft Exchange Server

    Status:  Commercial (Microsoft Corp.)

    Systems: Win/NT

    Info:    http://www.microsoft.com/

Versions through 5.0 are vulnerable to relay if they permit any local SMTP users. (Servers that only act as a gateway between internal non-SMTP mail and the Internet don't have relay problems.)

In other words, if your Exchange 5.0 server is connected to the Internet, it WILL relay for anyone, and that cannot be stopped.

Starting with version 5.5, provisions have been made to prevent unauthorized relay. These are described in detail in an article from Windows NT Magazine [which was formerly here]. If you're running an older version, it's time to upgrade.

Microsoft has an article on their TechNet site that discusses securing Exchange 2000 and 5.5.

It is also possible that your exchange server may be abused by spammers using the SMTP/AUTH exploit:

http://news.spamcop.net/cgi-bin/fom?file=372

http://www.winnetmag.com/article/articleid/40507/40507.html

http://www.winnetmag.com/article/articleid/42406/42406.html

http://support.microsoft.com/default.aspx?...;EN-US;324958#4

http://www.slipstick.com/exs/relay.htm

http://www.msexchange.org/tutorials/Preven..._Server_55.html

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×