Solved

Exchange server vulnerability with ASP page

Posted on 2008-06-12
13
227 Views
Last Modified: 2013-11-30
My network admin informed me that we are running exchange 2000 and if he can see that someone is acccessing our server for extended periods of time. Further, we are getting a lot of NDRs for emails that were never sent by anyone in this organization.  There are no open relays and it appears that the "send to a friend" function we have on a web page is where these are coming from.  That web page uses cdonts.newmail to forward the articles to a friend.  Is their a way to prevent this if it is the web page that has the vulnerability?

Thanks,
John
0
Comment
Question by:JohnMac328
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 3
13 Comments
 
LVL 58

Expert Comment

by:tigermatt
ID: 21771957
If it is indeed the webpage which is causing this, you would want to implement a Captcha of some description on that web page. The Captcha is a series of numbers and/or letters embedded within a computer-generated image which cannot be read by a spammer's automated systems. Legitimate users must copy the text out of the captcha and into a text box (and get it correct) before they will be allowed to submit their email to their friend. As long as you have a form on a public website which allows emails to be sent within any form of security from automation, it is likely the form will be hijacked by spammers. Here's a starting point for Captchas: http://www.captcha.net/.

There's also the possibility that the two are unrelated. Spammers are starting to do what is known as "NDR Spam" now - unfortunately if that is what you are being subject to, there is very little you are able to do about it. You could look into SPF records, but they are seldom used and will have a limited effect, if any at all.

-tigermatt
0
 
LVL 24

Expert Comment

by:purplepomegranite
ID: 21771960
It depends on the ASP code in the page.  If someone is using it maliciously,I'd be inclined to think that they've found a way to hack the page itself to send email that they want to rather than the article to a friend.  This can be done by hijacking GET variables very easily (assuming one was a URL to the page to be emailed, this could simply be replaced with the URL of a malicious page).  It can also be done with POST variables.

Is there any checking in the ASP page to validate the page being sent on?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21771973
Exactly my thoughts!
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 

Author Comment

by:JohnMac328
ID: 21772019
Pretty basic, lets say tigermatt fills out purples email address in the form which then sends a link in the email to purple.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21772070
In that case, you are going to want to get your developer to implement a captcha - that's the most basic and easiest method to ensure automated "bots" don't use the form, since they can't read the captcha and you don't let them send until they can!
0
 
LVL 24

Accepted Solution

by:
purplepomegranite earned 250 total points
ID: 21772089
Yes, but where does it get the link?  Presumably it's sent to the form by GET or by POST - and this could be hijacked.

I haven't got any kind of validation on the contact form on my website, and several times a day the form is automatically filled in with spam content and emailed.  Of course, the only person to receive the email is me, which is why it is never likely to occur more than a few times a day.  If someone finds a form that is exploitable to send email and a link (their choice of link) to anyone they like, they will use it constantly until the hole is plugged.  Spammers are an evil (and pointless) breed...
0
 
LVL 24

Expert Comment

by:purplepomegranite
ID: 21772103
tigermatt is absolutely right of course.

But I am inclined to think that there needs to more validation on your script anyway.  If it were not sending what the spammer wanted, they wouldn't be using it anywhere near as much.
0
 

Author Comment

by:JohnMac328
ID: 21772161
The method of the form is post and no validation.  I am downloading and trying the captcha.  If that is all the info then I thank you both and split the points.  Please let me know if you are both done.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21772183
If you have no validation or verification then the captcha should sort it out. You can make sure the script which sends the email is secure and cannot be hijacked by enclosing the script which generates the email in IF tags, so it will only send if the captcha is present from the form, and correct.
0
 

Author Comment

by:JohnMac328
ID: 21772224
Unfortuneatly the only classic asp example they provide is what someone provided to the site but they have created several version in other formats.  Are there any captcha experts on the exchange?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21772270
How about this package instead? Should support classic ASP: http://www.tipstricks.org/

-tigermatt
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 250 total points
ID: 21772273
Just confirmed, yes that ones DOES support classic ASP.

http://www.tipstricks.org/
0
 

Author Closing Comment

by:JohnMac328
ID: 31466658
Thanks both of you for all your help
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question