Some Exchange 2003 SP2 security concern - NDR attack
Posted on 2009-04-01
This is a 2003 AD Domain, with one Exchange 2003 SP2 server. I've configured this exchange server to allow my users, that stationed in overseas to send/receive mails thru outlook express, a plain smtp/pop3 method.
Recently, there was an attack, believe to be NDR attack, with hacker that made use of this exchange server to relay his/her mails. I can clearly see that hundreds of queues, with Sender address in - outsider_user_name@other_company.com.br, in the message queue.
How can I tighten the security against this kind of attack. It happened twice within one month's time.
I've some queries on 2 settings as follows:
1. In ESM, Default Smtp virtual server -> Access -> Authentication, currently, only Anonymous and Integrated Windows authentication are ticked. Shall I tick Basic authentication, with basic domain stated?
2. In ESM, Default Smtp virtual server -> access -> connection, ticked All except the list below; in the list is blank.
3. in ESM, Default Smtp virtual server -> Access -> Relay, Relay restriction. Ticked Only the list below, in the list is blank. Ticked Allow all computer successfully authenticated to relay, regardless of the list above.
For number 3, shall I untick "Allow all computer successfully authenticated to relay, regardless of the list above, and then selective choose those overseas staff's user accounts for relaying mails OR untick the above 2 selections?