• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 232
  • Last Modified:

Some Exchange 2003 SP2 security concern - NDR attack

This is a 2003 AD Domain, with one Exchange 2003 SP2 server. I've configured this exchange server to allow my users, that stationed in overseas to send/receive mails thru outlook express, a plain smtp/pop3 method.

Recently, there was an attack, believe to be NDR attack, with hacker that made use of this exchange server to relay his/her mails. I can clearly see that hundreds of queues, with Sender address in - outsider_user_name@other_company.com.br, in the message queue.

How can I tighten the security against this kind of attack. It happened twice within one month's time.

I've some queries on 2 settings as follows:

      1. In ESM, Default Smtp virtual server -> Access -> Authentication, currently, only Anonymous and Integrated Windows authentication are ticked. Shall I tick Basic authentication, with basic domain stated?
      2. In ESM, Default Smtp virtual server -> access -> connection, ticked All except the list below; in the list is blank.
      3. in ESM, Default Smtp virtual server -> Access -> Relay, Relay restriction. Ticked Only the list below, in the list is blank. Ticked Allow all computer successfully authenticated to relay, regardless of the list above.

For number 3, shall I untick "Allow all computer successfully authenticated to relay, regardless of the list above, and then selective choose those overseas staff's user accounts for relaying mails OR untick the above 2 selections?

Any suggestion?
0
Balack
Asked:
Balack
1 Solution
 
qualchoice-itCommented:
Hello, what you can do is under the Realy button inside SMTP Virtual Server Properties in Exchange, specify a range of internal IP addresses that are allowed to relay off your exchange server, I would un-tick the last box "Allow all computers which successfully authenticate to relay".
0
 
BalackAuthor Commented:
Hi Qualchoice-it,

I made a mistake in the the previos mail:

   1. In ESM, Default Smtp virtual server -> Access -> Authentication, currently, only Anonymous and Integrated Windows authentication are ticked. Shall I tick Basic authentication, with basic domain stated?

The answer is YES, I've to tick "Basic Authentication" with basic domain stated. Or else external users can't send/receive mails.
0
 
MesthaCommented:
NDR attacks are stopped by using recipient filtering and the tarpit.

If you have users who need to relay through the server, then your best option is to use the Users tab to control which users can do that, and ensure that Administrator is NOT listed on them. The administrator account is usually the one that is attacked.

Authentication settings on the SMTP virtual server will not make any difference, they are simply the type. Basic is required for SMTP transfer.

Simon.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now