Solved

Some Exchange 2003 SP2 security concern - NDR attack

Posted on 2009-04-01
3
216 Views
Last Modified: 2012-05-06
This is a 2003 AD Domain, with one Exchange 2003 SP2 server. I've configured this exchange server to allow my users, that stationed in overseas to send/receive mails thru outlook express, a plain smtp/pop3 method.

Recently, there was an attack, believe to be NDR attack, with hacker that made use of this exchange server to relay his/her mails. I can clearly see that hundreds of queues, with Sender address in - outsider_user_name@other_company.com.br, in the message queue.

How can I tighten the security against this kind of attack. It happened twice within one month's time.

I've some queries on 2 settings as follows:

      1. In ESM, Default Smtp virtual server -> Access -> Authentication, currently, only Anonymous and Integrated Windows authentication are ticked. Shall I tick Basic authentication, with basic domain stated?
      2. In ESM, Default Smtp virtual server -> access -> connection, ticked All except the list below; in the list is blank.
      3. in ESM, Default Smtp virtual server -> Access -> Relay, Relay restriction. Ticked Only the list below, in the list is blank. Ticked Allow all computer successfully authenticated to relay, regardless of the list above.

For number 3, shall I untick "Allow all computer successfully authenticated to relay, regardless of the list above, and then selective choose those overseas staff's user accounts for relaying mails OR untick the above 2 selections?

Any suggestion?
0
Comment
Question by:Balack
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 3

Expert Comment

by:qualchoice-it
ID: 24045843
Hello, what you can do is under the Realy button inside SMTP Virtual Server Properties in Exchange, specify a range of internal IP addresses that are allowed to relay off your exchange server, I would un-tick the last box "Allow all computers which successfully authenticate to relay".
0
 

Author Comment

by:Balack
ID: 24047322
Hi Qualchoice-it,

I made a mistake in the the previos mail:

   1. In ESM, Default Smtp virtual server -> Access -> Authentication, currently, only Anonymous and Integrated Windows authentication are ticked. Shall I tick Basic authentication, with basic domain stated?

The answer is YES, I've to tick "Basic Authentication" with basic domain stated. Or else external users can't send/receive mails.
0
 
LVL 65

Accepted Solution

by:
Mestha earned 500 total points
ID: 24048737
NDR attacks are stopped by using recipient filtering and the tarpit.

If you have users who need to relay through the server, then your best option is to use the Users tab to control which users can do that, and ensure that Administrator is NOT listed on them. The administrator account is usually the one that is attacked.

Authentication settings on the SMTP virtual server will not make any difference, they are simply the type. Basic is required for SMTP transfer.

Simon.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
In-place Upgrading Dirsync to Azure AD Connect
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question