Other possibilities.

The DL name is an obvious one that someone would guess (e.g. all@ sales@
The DL includes an external recipient and someone sent to the DL with it in
the to or from field of a message.
The address was created through a dictionary generated spam mailing.
Someone in your org knows how to help you lose 30lbs in 30 days.

Chris Scharff
The Mail Resource Center http://www.Mail-Resources.com
The Home Page for Mail Administrators.

Software pick of the month (Extended Reminders):
Exchange FAQs:

Chris Scharff
Senior Sales Engineer
If you can't measure, you can't manage!

> -----Original Message-----
> From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]]
> Sent: Monday, January 07, 2002 4:22 PM
> To: Exchange Discussions
> Subject: OWA Enumeration Question
> Ok, here's the situation: Win2k SP2 with Exchange OWA 5.5
> SP4+2 and IIS 5.0
> In the past couple of weeks, we have been getting hit VERY
> hard by SPAM. It didn't really trip my trigger until I saw
> one particular NDR in my postmaster mailbox this morning.
> Upon opening and looking specifically at the distribution
> list, I found that the message was addressed to two different
> SMTP addresses within our organization. One of those
> addresses has been deleted, hence the NDR. The other
> addressee was a hidden DL that was created after 11/8/01, at
> the suggestion of one Mr. Louis Joyce, in a separate thread
> to someone else (see "RE: email to a deleted mailbox").
> Now...there are three ways I can think of that someone has
> gotten ahold of our enumerated GAL:
> 1. They enumerated our GAL through the OWA, ala "MS01-047 :
> OWA Function Allows Unauthenticated User to Enumerate Global
> Address List". This is Q307195. We have grepped the log
> files as far back as 07/01/01 on the OWA server, and can find
> no indication that this vulnerability has been exploited on
> our server. In the Add/Remove Programs, it doesn't show this
> hotfix as having been installed, but it does show hotfix
> Q313576 as having been installed and Q307195 is an included
> hotfix (I would say we could rule that option out).
> 2. We are one site in a two site organization, with the
> other site being the parent site. Therefore, all recipients
> in our GAL replicate to their GAL. So...the exploit
> described in #1 could be performed from their OWA site if the
> patch hasn't been applied, with the same results (Don't know
> their status yet).
> 3. Someone from within our company or theirs has enumerated
> the GAL and is selling it to outside sources.
> Have I left any possibilities out?
> James H (Jim) Blunt
> Network / Microsoft Exchange Admin.
> Network & Infrastructure Group
> Bechtel Hanford, Inc.
> 509-372-9188

List posting FAQ:       http://www.swinc.com/resource/exch_faq.htm
Archives:               http://www.swynk.com/sitesearch/search.asp
To unsubscribe:         mailto:[EMAIL PROTECTED]
Exchange List admin:    [EMAIL PROTECTED]

Reply via email to