[Dshield] New Relay Exploit?

Stephane Grobety security at admin.fulgan.com
Wed Jan 7 10:50:20 GMT 2004


>> In the past few days, someone has been able to relay through my site, even
>> though whenever I test it from the abuse.net website, relaying
>> seems to be blocked correctly. 

CB> Based on your e-mail headers, it looks like you are running Exchange
CB> 5.5. There is a known bug with the SMTP MTA that allows people to spam
CB> mail through your server. I believe it has to do with the guest account.
CB> I also seem to remember its something that MS can't/will not fix so you
CB> need to put an SMTP relay in front of the box to lock it down. 

The problem is that is you have the guest account enabled (maybe as
the result from codered) and if you haven't denied SMTP AUTH, then all
a spammer needs to do in order to relay spam is send the AUTH LOGIN
string: since AUTH has been "run" and since a "matching" account was
found (blank user with blank password = guest) then it will relay.

Disable the guest account (there is no reason why it should be
enabled) and you're fixed.

-- 
Best regards,
 Stephane                            mailto:security at admin.fulgan.com




More information about the list mailing list