Solved

Exchange server vulnerability with ASP page

Posted on 2008-06-12
13
214 Views
Last Modified: 2013-11-30
My network admin informed me that we are running exchange 2000 and if he can see that someone is acccessing our server for extended periods of time. Further, we are getting a lot of NDRs for emails that were never sent by anyone in this organization.  There are no open relays and it appears that the "send to a friend" function we have on a web page is where these are coming from.  That web page uses cdonts.newmail to forward the articles to a friend.  Is their a way to prevent this if it is the web page that has the vulnerability?

Thanks,
John
0
Comment
Question by:JohnMac328
  • 6
  • 4
  • 3
13 Comments
 
LVL 58

Expert Comment

by:tigermatt
Comment Utility
If it is indeed the webpage which is causing this, you would want to implement a Captcha of some description on that web page. The Captcha is a series of numbers and/or letters embedded within a computer-generated image which cannot be read by a spammer's automated systems. Legitimate users must copy the text out of the captcha and into a text box (and get it correct) before they will be allowed to submit their email to their friend. As long as you have a form on a public website which allows emails to be sent within any form of security from automation, it is likely the form will be hijacked by spammers. Here's a starting point for Captchas: http://www.captcha.net/.

There's also the possibility that the two are unrelated. Spammers are starting to do what is known as "NDR Spam" now - unfortunately if that is what you are being subject to, there is very little you are able to do about it. You could look into SPF records, but they are seldom used and will have a limited effect, if any at all.

-tigermatt
0
 
LVL 24

Expert Comment

by:purplepomegranite
Comment Utility
It depends on the ASP code in the page.  If someone is using it maliciously,I'd be inclined to think that they've found a way to hack the page itself to send email that they want to rather than the article to a friend.  This can be done by hijacking GET variables very easily (assuming one was a URL to the page to be emailed, this could simply be replaced with the URL of a malicious page).  It can also be done with POST variables.

Is there any checking in the ASP page to validate the page being sent on?
0
 
LVL 58

Expert Comment

by:tigermatt
Comment Utility
Exactly my thoughts!
0
 

Author Comment

by:JohnMac328
Comment Utility
Pretty basic, lets say tigermatt fills out purples email address in the form which then sends a link in the email to purple.
0
 
LVL 58

Expert Comment

by:tigermatt
Comment Utility
In that case, you are going to want to get your developer to implement a captcha - that's the most basic and easiest method to ensure automated "bots" don't use the form, since they can't read the captcha and you don't let them send until they can!
0
 
LVL 24

Accepted Solution

by:
purplepomegranite earned 250 total points
Comment Utility
Yes, but where does it get the link?  Presumably it's sent to the form by GET or by POST - and this could be hijacked.

I haven't got any kind of validation on the contact form on my website, and several times a day the form is automatically filled in with spam content and emailed.  Of course, the only person to receive the email is me, which is why it is never likely to occur more than a few times a day.  If someone finds a form that is exploitable to send email and a link (their choice of link) to anyone they like, they will use it constantly until the hole is plugged.  Spammers are an evil (and pointless) breed...
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 24

Expert Comment

by:purplepomegranite
Comment Utility
tigermatt is absolutely right of course.

But I am inclined to think that there needs to more validation on your script anyway.  If it were not sending what the spammer wanted, they wouldn't be using it anywhere near as much.
0
 

Author Comment

by:JohnMac328
Comment Utility
The method of the form is post and no validation.  I am downloading and trying the captcha.  If that is all the info then I thank you both and split the points.  Please let me know if you are both done.
0
 
LVL 58

Expert Comment

by:tigermatt
Comment Utility
If you have no validation or verification then the captcha should sort it out. You can make sure the script which sends the email is secure and cannot be hijacked by enclosing the script which generates the email in IF tags, so it will only send if the captcha is present from the form, and correct.
0
 

Author Comment

by:JohnMac328
Comment Utility
Unfortuneatly the only classic asp example they provide is what someone provided to the site but they have created several version in other formats.  Are there any captcha experts on the exchange?
0
 
LVL 58

Expert Comment

by:tigermatt
Comment Utility
How about this package instead? Should support classic ASP: http://www.tipstricks.org/

-tigermatt
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 250 total points
Comment Utility
Just confirmed, yes that ones DOES support classic ASP.

http://www.tipstricks.org/
0
 

Author Closing Comment

by:JohnMac328
Comment Utility
Thanks both of you for all your help
0

Featured Post

Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

Join & Write a Comment

Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now