Exchange server vulnerability with ASP page

My network admin informed me that we are running exchange 2000 and if he can see that someone is acccessing our server for extended periods of time. Further, we are getting a lot of NDRs for emails that were never sent by anyone in this organization.  There are no open relays and it appears that the "send to a friend" function we have on a web page is where these are coming from.  That web page uses cdonts.newmail to forward the articles to a friend.  Is their a way to prevent this if it is the web page that has the vulnerability?

Thanks,
John
JohnMac328Asked:
Who is Participating?
 
purplepomegraniteCommented:
Yes, but where does it get the link?  Presumably it's sent to the form by GET or by POST - and this could be hijacked.

I haven't got any kind of validation on the contact form on my website, and several times a day the form is automatically filled in with spam content and emailed.  Of course, the only person to receive the email is me, which is why it is never likely to occur more than a few times a day.  If someone finds a form that is exploitable to send email and a link (their choice of link) to anyone they like, they will use it constantly until the hole is plugged.  Spammers are an evil (and pointless) breed...
0
 
tigermattCommented:
If it is indeed the webpage which is causing this, you would want to implement a Captcha of some description on that web page. The Captcha is a series of numbers and/or letters embedded within a computer-generated image which cannot be read by a spammer's automated systems. Legitimate users must copy the text out of the captcha and into a text box (and get it correct) before they will be allowed to submit their email to their friend. As long as you have a form on a public website which allows emails to be sent within any form of security from automation, it is likely the form will be hijacked by spammers. Here's a starting point for Captchas: http://www.captcha.net/.

There's also the possibility that the two are unrelated. Spammers are starting to do what is known as "NDR Spam" now - unfortunately if that is what you are being subject to, there is very little you are able to do about it. You could look into SPF records, but they are seldom used and will have a limited effect, if any at all.

-tigermatt
0
 
purplepomegraniteCommented:
It depends on the ASP code in the page.  If someone is using it maliciously,I'd be inclined to think that they've found a way to hack the page itself to send email that they want to rather than the article to a friend.  This can be done by hijacking GET variables very easily (assuming one was a URL to the page to be emailed, this could simply be replaced with the URL of a malicious page).  It can also be done with POST variables.

Is there any checking in the ASP page to validate the page being sent on?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
tigermattCommented:
Exactly my thoughts!
0
 
JohnMac328Author Commented:
Pretty basic, lets say tigermatt fills out purples email address in the form which then sends a link in the email to purple.
0
 
tigermattCommented:
In that case, you are going to want to get your developer to implement a captcha - that's the most basic and easiest method to ensure automated "bots" don't use the form, since they can't read the captcha and you don't let them send until they can!
0
 
purplepomegraniteCommented:
tigermatt is absolutely right of course.

But I am inclined to think that there needs to more validation on your script anyway.  If it were not sending what the spammer wanted, they wouldn't be using it anywhere near as much.
0
 
JohnMac328Author Commented:
The method of the form is post and no validation.  I am downloading and trying the captcha.  If that is all the info then I thank you both and split the points.  Please let me know if you are both done.
0
 
tigermattCommented:
If you have no validation or verification then the captcha should sort it out. You can make sure the script which sends the email is secure and cannot be hijacked by enclosing the script which generates the email in IF tags, so it will only send if the captcha is present from the form, and correct.
0
 
JohnMac328Author Commented:
Unfortuneatly the only classic asp example they provide is what someone provided to the site but they have created several version in other formats.  Are there any captcha experts on the exchange?
0
 
tigermattCommented:
How about this package instead? Should support classic ASP: http://www.tipstricks.org/

-tigermatt
0
 
tigermattCommented:
Just confirmed, yes that ones DOES support classic ASP.

http://www.tipstricks.org/
0
 
JohnMac328Author Commented:
Thanks both of you for all your help
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.