?
Solved

Exchange server vulnerability with ASP page

Posted on 2008-06-12
13
Medium Priority
?
247 Views
Last Modified: 2013-11-30
My network admin informed me that we are running exchange 2000 and if he can see that someone is acccessing our server for extended periods of time. Further, we are getting a lot of NDRs for emails that were never sent by anyone in this organization.  There are no open relays and it appears that the "send to a friend" function we have on a web page is where these are coming from.  That web page uses cdonts.newmail to forward the articles to a friend.  Is their a way to prevent this if it is the web page that has the vulnerability?

Thanks,
John
0
Comment
Question by:JohnMac328
  • 6
  • 4
  • 3
13 Comments
 
LVL 58

Expert Comment

by:tigermatt
ID: 21771957
If it is indeed the webpage which is causing this, you would want to implement a Captcha of some description on that web page. The Captcha is a series of numbers and/or letters embedded within a computer-generated image which cannot be read by a spammer's automated systems. Legitimate users must copy the text out of the captcha and into a text box (and get it correct) before they will be allowed to submit their email to their friend. As long as you have a form on a public website which allows emails to be sent within any form of security from automation, it is likely the form will be hijacked by spammers. Here's a starting point for Captchas: http://www.captcha.net/.

There's also the possibility that the two are unrelated. Spammers are starting to do what is known as "NDR Spam" now - unfortunately if that is what you are being subject to, there is very little you are able to do about it. You could look into SPF records, but they are seldom used and will have a limited effect, if any at all.

-tigermatt
0
 
LVL 24

Expert Comment

by:purplepomegranite
ID: 21771960
It depends on the ASP code in the page.  If someone is using it maliciously,I'd be inclined to think that they've found a way to hack the page itself to send email that they want to rather than the article to a friend.  This can be done by hijacking GET variables very easily (assuming one was a URL to the page to be emailed, this could simply be replaced with the URL of a malicious page).  It can also be done with POST variables.

Is there any checking in the ASP page to validate the page being sent on?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21771973
Exactly my thoughts!
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 

Author Comment

by:JohnMac328
ID: 21772019
Pretty basic, lets say tigermatt fills out purples email address in the form which then sends a link in the email to purple.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21772070
In that case, you are going to want to get your developer to implement a captcha - that's the most basic and easiest method to ensure automated "bots" don't use the form, since they can't read the captcha and you don't let them send until they can!
0
 
LVL 24

Accepted Solution

by:
purplepomegranite earned 1000 total points
ID: 21772089
Yes, but where does it get the link?  Presumably it's sent to the form by GET or by POST - and this could be hijacked.

I haven't got any kind of validation on the contact form on my website, and several times a day the form is automatically filled in with spam content and emailed.  Of course, the only person to receive the email is me, which is why it is never likely to occur more than a few times a day.  If someone finds a form that is exploitable to send email and a link (their choice of link) to anyone they like, they will use it constantly until the hole is plugged.  Spammers are an evil (and pointless) breed...
0
 
LVL 24

Expert Comment

by:purplepomegranite
ID: 21772103
tigermatt is absolutely right of course.

But I am inclined to think that there needs to more validation on your script anyway.  If it were not sending what the spammer wanted, they wouldn't be using it anywhere near as much.
0
 

Author Comment

by:JohnMac328
ID: 21772161
The method of the form is post and no validation.  I am downloading and trying the captcha.  If that is all the info then I thank you both and split the points.  Please let me know if you are both done.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21772183
If you have no validation or verification then the captcha should sort it out. You can make sure the script which sends the email is secure and cannot be hijacked by enclosing the script which generates the email in IF tags, so it will only send if the captcha is present from the form, and correct.
0
 

Author Comment

by:JohnMac328
ID: 21772224
Unfortuneatly the only classic asp example they provide is what someone provided to the site but they have created several version in other formats.  Are there any captcha experts on the exchange?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21772270
How about this package instead? Should support classic ASP: http://www.tipstricks.org/

-tigermatt
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 1000 total points
ID: 21772273
Just confirmed, yes that ones DOES support classic ASP.

http://www.tipstricks.org/
0
 

Author Closing Comment

by:JohnMac328
ID: 31466658
Thanks both of you for all your help
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have come across a situation where you need to find some EDB mailbox recovery techniques, then here you will find the same. In this article, we will take you through three techniques using which you will be able to perform EDB recovery. You …
Microsoft Jet database engine errors can crop up out of nowhere to disrupt the working of the Exchange server. Decoding why a particular error occurs goes a long way in determining the right solution for it.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question