?
Solved

Some Exchange 2003 SP2 security concern - NDR attack

Posted on 2009-04-01
3
Medium Priority
?
223 Views
Last Modified: 2012-05-06
This is a 2003 AD Domain, with one Exchange 2003 SP2 server. I've configured this exchange server to allow my users, that stationed in overseas to send/receive mails thru outlook express, a plain smtp/pop3 method.

Recently, there was an attack, believe to be NDR attack, with hacker that made use of this exchange server to relay his/her mails. I can clearly see that hundreds of queues, with Sender address in - outsider_user_name@other_company.com.br, in the message queue.

How can I tighten the security against this kind of attack. It happened twice within one month's time.

I've some queries on 2 settings as follows:

      1. In ESM, Default Smtp virtual server -> Access -> Authentication, currently, only Anonymous and Integrated Windows authentication are ticked. Shall I tick Basic authentication, with basic domain stated?
      2. In ESM, Default Smtp virtual server -> access -> connection, ticked All except the list below; in the list is blank.
      3. in ESM, Default Smtp virtual server -> Access -> Relay, Relay restriction. Ticked Only the list below, in the list is blank. Ticked Allow all computer successfully authenticated to relay, regardless of the list above.

For number 3, shall I untick "Allow all computer successfully authenticated to relay, regardless of the list above, and then selective choose those overseas staff's user accounts for relaying mails OR untick the above 2 selections?

Any suggestion?
0
Comment
Question by:Balack
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 3

Expert Comment

by:qualchoice-it
ID: 24045843
Hello, what you can do is under the Realy button inside SMTP Virtual Server Properties in Exchange, specify a range of internal IP addresses that are allowed to relay off your exchange server, I would un-tick the last box "Allow all computers which successfully authenticate to relay".
0
 

Author Comment

by:Balack
ID: 24047322
Hi Qualchoice-it,

I made a mistake in the the previos mail:

   1. In ESM, Default Smtp virtual server -> Access -> Authentication, currently, only Anonymous and Integrated Windows authentication are ticked. Shall I tick Basic authentication, with basic domain stated?

The answer is YES, I've to tick "Basic Authentication" with basic domain stated. Or else external users can't send/receive mails.
0
 
LVL 65

Accepted Solution

by:
Mestha earned 1500 total points
ID: 24048737
NDR attacks are stopped by using recipient filtering and the tarpit.

If you have users who need to relay through the server, then your best option is to use the Users tab to control which users can do that, and ensure that Administrator is NOT listed on them. The administrator account is usually the one that is attacked.

Authentication settings on the SMTP virtual server will not make any difference, they are simply the type. Basic is required for SMTP transfer.

Simon.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question