• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 232
  • Last Modified:

Can send internal messages from remote telnet session (Exchange 2003)

I have an Exchange 2003 server, and for some reason I can telnet into it from outside and send a message from an INTERNAL user to an INTERNAL user, with no Auth required.

If I try to send to an external user then I get the 'unable to relay' message (as expected).

I have looked at the security permissions on the smtp V server, mailstore and individual users and everything looks normal!

How could Exchange be allowing this?
0
ma77smith
Asked:
ma77smith
  • 10
  • 8
1 Solution
 
SembeeCommented:
Why would you expect Exchange to stop that?
What you have done is what spammers have been doing for years - spoofing.
Exchange accepts the email because it is sent to an address it is responsible for. Who the message is from Exchange doesn't care, because there is nothing in SMTP to stop the message from being sent.

Instead of the From bing an internal user, you could have used bill.gates@microsoft.com - the effect would be the same.

Simon.
0
 
ma77smithAuthor Commented:
In all my years of administrating exchange I never actually realised you could do this. So effectively I could telnet into some top blue chip companies exchange and send an abuse email to the CEO from the managing director, presuming I knew their email addresses?
0
 
SembeeCommented:
Yes there is nothing to stop you from doing that.
It is what spammers do all day.
It is standard spoofing. Obviously if it was tried then a decent network admin should be able to diagnose that the message came in from outside.

You can't do anything to stop it really. There have been attempts to do so, SPF, Sender ID etc, but their use is so low that you cannot use them to block the messages, just as something to score on for later processing.

Simon.

--
If your question has been answered, pleased remember to accept the answer and close the question.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
Serena HsiMarketing ConsultantCommented:
It's such a cool "feature" to tease co-workers with. But, I suppose you don't want to have a gaping hole in your security system.

This is what TechNet suggests for protecting against address spoofing:
http://technet.microsoft.com/en-us/library/aa997157.aspx

How to Prevent Exchange 2000 From Resolving Anonymous E-mail Messages:
http://technet.microsoft.com/en-us/library/aa997792.aspx

And,

HOW TO: Prevent Unsolicited Commercial E-Mail in Exchange 2000 Server:
http://support.microsoft.com/?kbid=319356
0
 
ma77smithAuthor Commented:
Thanks, but I can't see how http://technet.microsoft.com/en-us/library/aa997157.aspx will help me. How will reverse DNS stop someone sending internal - internal ?  And if I disable anonymous access then no one will be able to send me mail!!

thx
0
 
SembeeCommented:
Reverse DNS functionality on Exchange is best described as useless. You can't do anything with it other than slow things down and getting an entry in the logs.

The other options are really to stop internal users from spoofing email. You can do very little to stop external users.

Simon.

--
If your question has been answered, pleased remember to accept the answer and close the question.
0
 
ma77smithAuthor Commented:

Thanks for the feedback, what's the best/easiest way to internal users spoofing mail then?

I need to stop people being able to do this ..

Thx again
0
 
SembeeCommented:
You can't stop users from spoofing. There is no mechanism in Exchange to stop it from happening. If there was then spam wouldn't be the problem that it is.

The most you could do is have an SMTP gateway in a DMZ and block access to it from your network accept for the Exchange servers.
Then use connection restrictions on the SMTP Virtual Server of all Exchange servers to restrict access to everything but the SMTP gateway and all of the other Exchange servers. If you have users who send email by SMTP (Outlook Express etc) or servers that send notifications then that will be broken by that change.

However there is nothing to stop the users from telnet in to your ISPs SMTP server and sending the message, or telnetting in to their own ISPs server from home and sending the message.

If the email has been sent internally via a MAPI connection then it will not have SMTP headers. If it has SMTP headers then the From line cannot be trusted.

Simon.

--
If your question has been answered, pleased remember to accept the answer and close the question.
0
 
SembeeCommented:
Of course the ideal way would be to find someone who has done it and fire them for it and ensure that everyone knows why. This is a management issue, not a technical issue.

Simon.

--
If your question has been answered, pleased remember to accept the answer and close the question.
0
 
ma77smithAuthor Commented:

That is the whole point, if a user from home (or anyone else for that matter) telnetted into the exchange server and sent a message from ceo@mycompany.com to cfo@mycompany.com saying 'you are fired you F":@#r '  then what on earth do I do about this!  I still find it hard to believe (although I'm not saying you're wrong) there is no mechanism to stop this, all it would need is some sort of authentication to appear from an internal address?  from an external address then it doesn't matter, these can be minimised with reverse DNS and other 3rd party solutions.
0
 
SembeeCommented:
What is the difference between a user doing that and a spammer sending a message with the headers spoofed in the same way offering blue pills? Nothing at all.
As I wrote above, if there was a way, then spam would not be the problem it is.

Simon.

--
If your question has been answered, pleased remember to accept the answer and close the question.
0
 
ma77smithAuthor Commented:

Ok, good point - there is no functionality in Exchange/smtp to stop this ....  In your opinion, what is the best 3rd party Anti Spam solution?   I'm taking it that an AS solution would not stop it happening but would identify the resultant email as spam and quarantine it?
0
 
SembeeCommented:
Depends on the antispam solution being used really and how it is configured.
There are so many ways that spam can be detected, none of them are 100% effective.
The method I am using most effectively at the moment is a combination of greylisting and IMF, but that is really only effective against automated spam. This kind of message which is manually created would be hard for any spam solution to detect unless you put in some kind of measure that blocks all external messages that have the From field matching your own domain. Although that measure would also stop anyone using the "Send to a Friend" feature found on many web sites.

Simon.

--
If your question has been answered, pleased remember to accept the answer and close the question.
0
 
ma77smithAuthor Commented:

What about an offline filtering service like positini, and only allowing exchange to receive from that service?
0
 
SembeeCommented:
That will only stop external messages coming in - if they detect the message and block it. If the users are clued up enough to know about the telnet method then they could well be clued up enough to find the MX records.

Then you still have the issues I outlined in an earlier message about legitimate messages being sent internally.

Simon.

--
If your question has been answered, pleased remember to accept the answer and close the question.
0
 
ma77smithAuthor Commented:
cool, regarding telnetting into exchange and doing to internal -> Internal message, most Exchange Anti Spam solutions should catch this as spam ... right?
0
 
SembeeCommented:
Not always. It is difficult to predict what an antispam solution will detect. If the user sends the message using plain English and it looks like a regular message then it will not blocked.

Simon.

--
If your question has been answered, pleased remember to accept the answer and close the question.
0
 
ma77smithAuthor Commented:
Sorry to drag this on, just need to get it straight in my mind ..

So, I telnet in and exchange says ' helo 12.1.1.22'    (my IP from home)
I use the telnet syntax to send a message frmo bob@company.com to fred@company.com'
Gets sent ..

If I enabled reverse DNS on exchange, surely it will not work as 12.1.1.12 has no PTR in company.com ??

0
 
SembeeCommented:
Enable reverse DNS does nothing other than add an entry in the headers. There is no mechanism in Exchange to block on reverse DNS. You would need to use a third party tool to do that, but that could also impact legitimate email where people haven't got the reverse DNS setup correctly. Look at the questions on this site where people have problems with reverse DNS.

Simon.

--
If your question has been answered, pleased remember to accept the answer and close the question.
0

Featured Post

Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

  • 10
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now