Ok, here's the situation:  Win2k SP2 with Exchange OWA 5.5 SP4+2 and IIS 5.0

In the past couple of weeks, we have been getting hit VERY hard by SPAM.  It
didn't really trip my trigger until I saw one particular NDR in my
postmaster mailbox this morning.  Upon opening and looking specifically at
the distribution list, I found that the message was addressed to two
different SMTP addresses within our organization. One of those addresses has
been deleted, hence the NDR.  The other addressee was a hidden DL that was
created after 11/8/01, at the suggestion of one Mr. Louis Joyce, in a
separate thread to someone else (see "RE: email to a deleted mailbox").

Now...there are three ways I can think of that someone has gotten ahold of
our enumerated GAL:

1.  They enumerated our GAL through the OWA, ala "MS01-047 : OWA Function
Allows Unauthenticated User to Enumerate Global Address List".  This is
Q307195.  We have grepped the log files as far back as 07/01/01 on the OWA
server, and can find no indication that this vulnerability has been
exploited on our server.  In the Add/Remove Programs, it doesn't show this
hotfix as having been installed, but it does show hotfix Q313576 as having
been installed and Q307195 is an included hotfix (I would say we could rule
that option out).

2.  We are one site in a two site organization, with the other site being
the parent site.  Therefore, all recipients in our GAL replicate to their
GAL.  So...the exploit described in #1 could be performed from their OWA
site if the patch hasn't been applied, with the same results (Don't know
their status yet).

3.  Someone from within our company or theirs has enumerated the GAL and is
selling it to outside sources.

Have I left any possibilities out?

James H (Jim) Blunt
Network / Microsoft Exchange Admin.
Network & Infrastructure Group
Bechtel Hanford, Inc.

List posting FAQ:       http://www.swinc.com/resource/exch_faq.htm
Archives:               http://www.swynk.com/sitesearch/search.asp
To unsubscribe:         mailto:[EMAIL PROTECTED]
Exchange List admin:    [EMAIL PROTECTED]

Reply via email to