Solved

Exchange server vulnerability with ASP page

Posted on 2008-06-12
13
221 Views
Last Modified: 2013-11-30
My network admin informed me that we are running exchange 2000 and if he can see that someone is acccessing our server for extended periods of time. Further, we are getting a lot of NDRs for emails that were never sent by anyone in this organization.  There are no open relays and it appears that the "send to a friend" function we have on a web page is where these are coming from.  That web page uses cdonts.newmail to forward the articles to a friend.  Is their a way to prevent this if it is the web page that has the vulnerability?

Thanks,
John
0
Comment
Question by:JohnMac328
  • 6
  • 4
  • 3
13 Comments
 
LVL 58

Expert Comment

by:tigermatt
ID: 21771957
If it is indeed the webpage which is causing this, you would want to implement a Captcha of some description on that web page. The Captcha is a series of numbers and/or letters embedded within a computer-generated image which cannot be read by a spammer's automated systems. Legitimate users must copy the text out of the captcha and into a text box (and get it correct) before they will be allowed to submit their email to their friend. As long as you have a form on a public website which allows emails to be sent within any form of security from automation, it is likely the form will be hijacked by spammers. Here's a starting point for Captchas: http://www.captcha.net/.

There's also the possibility that the two are unrelated. Spammers are starting to do what is known as "NDR Spam" now - unfortunately if that is what you are being subject to, there is very little you are able to do about it. You could look into SPF records, but they are seldom used and will have a limited effect, if any at all.

-tigermatt
0
 
LVL 24

Expert Comment

by:purplepomegranite
ID: 21771960
It depends on the ASP code in the page.  If someone is using it maliciously,I'd be inclined to think that they've found a way to hack the page itself to send email that they want to rather than the article to a friend.  This can be done by hijacking GET variables very easily (assuming one was a URL to the page to be emailed, this could simply be replaced with the URL of a malicious page).  It can also be done with POST variables.

Is there any checking in the ASP page to validate the page being sent on?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21771973
Exactly my thoughts!
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 

Author Comment

by:JohnMac328
ID: 21772019
Pretty basic, lets say tigermatt fills out purples email address in the form which then sends a link in the email to purple.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21772070
In that case, you are going to want to get your developer to implement a captcha - that's the most basic and easiest method to ensure automated "bots" don't use the form, since they can't read the captcha and you don't let them send until they can!
0
 
LVL 24

Accepted Solution

by:
purplepomegranite earned 250 total points
ID: 21772089
Yes, but where does it get the link?  Presumably it's sent to the form by GET or by POST - and this could be hijacked.

I haven't got any kind of validation on the contact form on my website, and several times a day the form is automatically filled in with spam content and emailed.  Of course, the only person to receive the email is me, which is why it is never likely to occur more than a few times a day.  If someone finds a form that is exploitable to send email and a link (their choice of link) to anyone they like, they will use it constantly until the hole is plugged.  Spammers are an evil (and pointless) breed...
0
 
LVL 24

Expert Comment

by:purplepomegranite
ID: 21772103
tigermatt is absolutely right of course.

But I am inclined to think that there needs to more validation on your script anyway.  If it were not sending what the spammer wanted, they wouldn't be using it anywhere near as much.
0
 

Author Comment

by:JohnMac328
ID: 21772161
The method of the form is post and no validation.  I am downloading and trying the captcha.  If that is all the info then I thank you both and split the points.  Please let me know if you are both done.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21772183
If you have no validation or verification then the captcha should sort it out. You can make sure the script which sends the email is secure and cannot be hijacked by enclosing the script which generates the email in IF tags, so it will only send if the captcha is present from the form, and correct.
0
 

Author Comment

by:JohnMac328
ID: 21772224
Unfortuneatly the only classic asp example they provide is what someone provided to the site but they have created several version in other formats.  Are there any captcha experts on the exchange?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21772270
How about this package instead? Should support classic ASP: http://www.tipstricks.org/

-tigermatt
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 250 total points
ID: 21772273
Just confirmed, yes that ones DOES support classic ASP.

http://www.tipstricks.org/
0
 

Author Closing Comment

by:JohnMac328
ID: 31466658
Thanks both of you for all your help
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
Phishing attempts can come in all forms, shapes and sizes. No matter how familiar you think you are with them, always remember to take extra precaution when opening an email with attachments or links.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question