Exchange WILL relay for authenticated users (by default), and it doesn't have to be the guest account (though that is a common attack).
Have you left your Administrator account named Administrator? Do you "leak" user IDs to the outside world? Web pages? Email addresses? IM aliases? Backups run under the user ID "backup"? Dictionary password attack. Spammers have lots of patience. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Deckler Sent: Thursday, December 18, 2003 12:11 PM To: Exchange Discussions Subject: RE: Open Relay/Spamcop This may very well be the case. I cannot say one way or another. When I have seen this, it has always been the case that I am there fixing something else and happen upon this problem, fix it and move on. I DO know that I have seen it on boxes where the Guest account is disabled, but that does not rule out the possibility that some other account was compromised. > However, I would welcome any information that proves me otherwise. > i.e. configure these settings, with the guest account disabled, and > prove that it actually will relay - not authenticated relay, that > doesn't count. If it is authenticated relay, it is because a password > was compromised.=20 > > > Ben Winzenz > Network Engineer > Gardner & White > (317) 581-1580 ext 418 > > > -----Original Message----- > From: Ben Winzenz=20 > Posted At: Thursday, December 18, 2003 11:48 AM > Posted To: Exchange (Swynk) > Conversation: Open Relay/Spamcop > Subject: RE: Open Relay/Spamcop > > > I still think you are smoking crack on this, Greg. I have never seen > a properly configured Exchange 2000 server relay UNLESS a user account > was compromised, or the guest account was enabled. I've tested it and > tested again, and never found Exchange to relay with those > settings.=20 > > > Ben Winzenz > Network Engineer > Gardner & White > (317) 581-1580 ext 418 > > > -----Original Message----- > From: Greg Deckler [mailto:[EMAIL PROTECTED] Posted At: Thursday, > December 18, 2003 11:37 AM Posted To: Exchange (Swynk) > Conversation: Open Relay/Spamcop > Subject: RE: Open Relay/Spamcop > > > Hey, thanks for the confirmation. People have told me that I am > smoking crack and that the Exchange servers were horribly > misconfigured. It's nice to know that I am not smoking crack. > > > I concur with greg ... our server had those settings and we were > > being > > > used as a relay ... turned off "Allow all computers which > > successfully > > > authenticate to relay, regardless of the list above." and that > > stopped > > > it ... > >=20 > > Mike > >=20 > >=20 > >=20 > > -----Original Message----- > > From: Greg Deckler [mailto:[EMAIL PROTECTED] > > Sent: Thursday, December 18, 2003 11:17 AM > > To: Exchange Discussions > > Subject: Re: Open Relay/Spamcop > >=20 > >=20 > > This may or may not be the problem, but I have seen spammers able > >to=20 relay off an Exchange server if the following configuration > >applies: =20 1. If "Anonymous access" is turned on. SMTP Virtual > >Server properties, > > > Access page, Authentication. 2. And, "Allow all computers which=20 > >successfully authenticate to relay, regardless of the list above." > >is=20 checked. SMTP Virtual Server properties, Access page, Relay. > >=20 =20 > >=20 > > > Hello All and Happy Holidays! > > >=3D20 > > > I have a colleague whos Exchange 2000 server is being reported > > >as=20 Open > >=20 > > > Relay by spamcop for the past month. I have tested his relay = > by=3D20 > > > >setting up a POP account in Outlook, putting the server that is=20 > > >being=3D20 reported as Open relay as my Outgoing SMTP server. = > =3D3D20=20 > > >=3D20 When I try to send a message using Outlook, I get a > > >return=20 message > > that > > > 550 5.7.1 Unable to relay. I am relieved that it could not > relay. > > > That is good, however, why then is spamcop still reporting it > > >to=20 be=3D20 open relay? =3D3D20 =3D20 I have checked (over the > > >phone) = > all his > > > >Virtual SMTP Server settings=3D20 to verify correct configuration. > > >=20 Everything seems to be "checked" or=3D20 "unchecked" as > > >recommended = > by > > > >Microsoft. > > >=3D20 > > > We have Stopped/Started Services for SMTP =3D20 The Exchange > > >2000=20 server is behind a NAT and I have looked into the=3D20 > > >possibility = > of=20 > > >this. I have been out on the spamcop site and for the=3D20 life > > >of = > me > > > >cannot find a way to make them check the server again to=3D20 see > > >if = > > > >it is closed relay like ORDB does. =3D3D20 =3D20 Any ideas or=20 > > >comments???? =3D3D20 =3D20 =3D20 =3D20 Samantha Bridges = > Communications=20 > > >Technician Macomb Intermediate School District > > > 44001 Garfield Road > > > Clinton Township MI 48038-1100 > > > (586) 228-3300 > > >=3D20 > > > [EMAIL PROTECTED] > > > http://www.misd.net > > >=3D20 > > >=3D20 > > > CONFIDENTIALITY NOTICE: This email message, including any=20 > > >attachments, > >=20 > > > is for the sole use of the intended recipient(s) and may = > contain=3D20=20 > > > confidential and privileged information. Any unauthorized > > > review,=20 use, > >=20 > > > disclosure or distribution is prohibited. If you are not the=20 > > >intended=3D20 recipient, please contact the sender by reply email > > >= > and=20 > > >destroy all=3D20 copies of the original message. > > >=3D20 > > > =3D3D20 > >=20 > >_________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Web Interface: > > = > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3D3Dexchange&text_ > mo > > de=3D3D=3D > > & > > lang=3D3Denglish > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3Dexchange&text_mo > de=3D= > & > lang=3Denglish > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=3Dexchange&text_mo > de=3D= > & > lang=3Denglish > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
