Ok, here's the situation: Win2k SP2 with Exchange OWA 5.5 SP4+2 and IIS 5.0
In the past couple of weeks, we have been getting hit VERY hard by SPAM. It didn't really trip my trigger until I saw one particular NDR in my postmaster mailbox this morning. Upon opening and looking specifically at the distribution list, I found that the message was addressed to two different SMTP addresses within our organization. One of those addresses has been deleted, hence the NDR. The other addressee was a hidden DL that was created after 11/8/01, at the suggestion of one Mr. Louis Joyce, in a separate thread to someone else (see "RE: email to a deleted mailbox"). Now...there are three ways I can think of that someone has gotten ahold of our enumerated GAL: 1. They enumerated our GAL through the OWA, ala "MS01-047 : OWA Function Allows Unauthenticated User to Enumerate Global Address List". This is Q307195. We have grepped the log files as far back as 07/01/01 on the OWA server, and can find no indication that this vulnerability has been exploited on our server. In the Add/Remove Programs, it doesn't show this hotfix as having been installed, but it does show hotfix Q313576 as having been installed and Q307195 is an included hotfix (I would say we could rule that option out). 2. We are one site in a two site organization, with the other site being the parent site. Therefore, all recipients in our GAL replicate to their GAL. So...the exploit described in #1 could be performed from their OWA site if the patch hasn't been applied, with the same results (Don't know their status yet). 3. Someone from within our company or theirs has enumerated the GAL and is selling it to outside sources. Have I left any possibilities out? James H (Jim) Blunt Network / Microsoft Exchange Admin. Network & Infrastructure Group Bechtel Hanford, Inc. 509-372-9188 _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
