Solved

Some Exchange 2003 SP2 security concern - NDR attack

Posted on 2009-04-01
3
214 Views
Last Modified: 2012-05-06
This is a 2003 AD Domain, with one Exchange 2003 SP2 server. I've configured this exchange server to allow my users, that stationed in overseas to send/receive mails thru outlook express, a plain smtp/pop3 method.

Recently, there was an attack, believe to be NDR attack, with hacker that made use of this exchange server to relay his/her mails. I can clearly see that hundreds of queues, with Sender address in - outsider_user_name@other_company.com.br, in the message queue.

How can I tighten the security against this kind of attack. It happened twice within one month's time.

I've some queries on 2 settings as follows:

      1. In ESM, Default Smtp virtual server -> Access -> Authentication, currently, only Anonymous and Integrated Windows authentication are ticked. Shall I tick Basic authentication, with basic domain stated?
      2. In ESM, Default Smtp virtual server -> access -> connection, ticked All except the list below; in the list is blank.
      3. in ESM, Default Smtp virtual server -> Access -> Relay, Relay restriction. Ticked Only the list below, in the list is blank. Ticked Allow all computer successfully authenticated to relay, regardless of the list above.

For number 3, shall I untick "Allow all computer successfully authenticated to relay, regardless of the list above, and then selective choose those overseas staff's user accounts for relaying mails OR untick the above 2 selections?

Any suggestion?
0
Comment
Question by:Balack
3 Comments
 
LVL 3

Expert Comment

by:qualchoice-it
ID: 24045843
Hello, what you can do is under the Realy button inside SMTP Virtual Server Properties in Exchange, specify a range of internal IP addresses that are allowed to relay off your exchange server, I would un-tick the last box "Allow all computers which successfully authenticate to relay".
0
 

Author Comment

by:Balack
ID: 24047322
Hi Qualchoice-it,

I made a mistake in the the previos mail:

   1. In ESM, Default Smtp virtual server -> Access -> Authentication, currently, only Anonymous and Integrated Windows authentication are ticked. Shall I tick Basic authentication, with basic domain stated?

The answer is YES, I've to tick "Basic Authentication" with basic domain stated. Or else external users can't send/receive mails.
0
 
LVL 65

Accepted Solution

by:
Mestha earned 500 total points
ID: 24048737
NDR attacks are stopped by using recipient filtering and the tarpit.

If you have users who need to relay through the server, then your best option is to use the Users tab to control which users can do that, and ensure that Administrator is NOT listed on them. The administrator account is usually the one that is attacked.

Authentication settings on the SMTP virtual server will not make any difference, they are simply the type. Basic is required for SMTP transfer.

Simon.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question