Link to home
Start Free TrialLog in
Avatar of jbowencpe
jbowencpe

asked on

Exch 5.5 SP3 - SMTP authenticated as a user that doesn't exist?!

Exchange 5.5, SP3

After turning into a spam relay last week, I corrected the problem and have been monitoring the SMTP logs.  It appears that people are able to authenticate with the SMTP server, using usernames that don't exist.  Examples from the SMTP Interface Event log include:

Refused to relay <doreen@cta.cq.cn> for 218.70.149.199 (218.70.149.199).  
Client was authenticated as \Username:.

or
...
Client was authenticated as \admin.

or
...
Client was authenticated as \www.

or
...
Client was authenticated as \root.   ... etc, etc


When the spam problem started, I had Exchange set to relay messages by users that successfully authenticate.  Well this worked great for months until the recent problem arose.  I can't figure out how they're able to spoof authentication with a fake username.  Any help is greatly appreciated

Justin
ASKER CERTIFIED SOLUTION
Avatar of OneHump
OneHump
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jbowencpe
jbowencpe

ASKER

I'm definitely not relaying currently, as I see lots rejected relay attempts in the application log.  What concerns me about these false authentications, however, is that they actually can relay when Exchange is configured to relay only when a client successfully authenticates.  I will turn on auditing and see what that shows.  Thanks for the tip
Avatar of OneHump
OneHump
Once you find out who it is that is doing this, I would block the offending IP's and consider contacting their ISP.  You can get ISP information for an IP address at http://www.arin.net/whois .


OneHump
Avatar of jbowencpe
jbowencpe

ASKER

Well, I figured it out - thanks, OneHump.  I started logging successful logins and sure enough they were using the (now disabled) guest account to authenticate and then relay.  I've shut that off and haven't seen anymore successful SMTP authentications from bogus usernames.  I'm going to check the logs after the weekend to be completely sure before opening the server back up to relay upon successful authentication.
Avatar of OneHump
OneHump
Excellent, nice work.

OneHump
Avatar of prosewall
prosewall
Flag of Australia image
Um , I think it more likely that the spammers were using a flaw in Exchange 5.5 IMC that allowed relaying without correctly checking a username's password - i.e. administrator ,  local administrator account etc.

The details are presented at
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-011.asp

The fix is a post SP4 IMC patch.

Once applied, the agents attempting to send mail using the accounts give the errors in the event logs that you describe, (as long as a suitable level of diagnostic logging is enable in the imc)

Did you apply post SP4 IMC patches as part of your solution?

P
Avatar of BRT-Tech
BRT-Tech
Our Exchange Server had the same problem: Obvious spam relays, but not an open relay, no virus, all the latest patches. I did find that the enabled Guest account had a weak password "guest" and could easily be used to authenticate for relay. I immediately disabled Guest.

Now I am concerned about the other built-in accounts on 2000 being used in the same manner by spammers. Do I need to disable IUSR_server-name, IWAM_server-name, Small Business Admin, Small Business User, etc. ?

Our 2000 server also runs IIS and ISA for our Web Server and local proxy.  The server was installed and configured before I arrived by someone with little MS Network experience. I am slowly getting a handle on all the vulnerabilities they left behind and cleaning up.

Any advice would be appreciated.

Jon