[Dshield] New Relay Exploit?

Sue Young smy at gcmlp.com
Wed Jan 7 02:45:02 GMT 2004


I'm on Exchange 5.5 SP4 running on Win2k SP4. I think I have all Exchange
hotfixes available.  I recently
rebuilt the server and patched it to the hilt - there haven't been any major
releases since I rebuilt it.

Sue Young 

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Troy Billington
Sent: Tuesday, January 06, 2004 4:39 PM
To: General DShield Discussion List
Subject: RE: [Dshield] New Relay Exploit?



-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org]On
Behalf Of Sue Young
Sent: Tuesday, January 06, 2004 5:27 PM
To: list at dshield.org
Subject: [Dshield] New Relay Exploit?


In the past few days, someone has been able to relay through my site, even
though whenever I test it from the abuse.net website, relaying seems to be
blocked correctly.  Luckily, it hasn't been a lot of messages but it has
been enough to get us blacklisted by spamcop.

I've reset our exchange server to not allow relaying.  I did have it set to
only relay for authenticated hosts, then I realized  there would be no
reason for anyone to relay so I set it to only relay from a list of IP
addresses and left the list blank.
After I did that, it looked like the following message came through anyway.
I blocked their class C and it seemed to stop it.  Before I made this
change, I tested for a relay on abuse.net and it was ok.  The only thing my
server will relay is mail to an internal domain.

Can anyone tell me what they're exploiting?  The headers on the messages
look normal - it's getting the message from a dsl connection in Mexico and
relaying all over the world.  This should not be possible.

Thanks,

Sue Young

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
----------------------------------------------------------------------------
-------------------------

HI Sue,

Can you tell me what version of Exchange you're using and also what
servicepacks/hotixes you have applied?
You can mail me: doshelp at doshelp.com if you would like to continue this off
the list.


_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list