Solved

Some Exchange 2003 SP2 security concern - NDR attack

Posted on 2009-04-01
3
213 Views
Last Modified: 2012-05-06
This is a 2003 AD Domain, with one Exchange 2003 SP2 server. I've configured this exchange server to allow my users, that stationed in overseas to send/receive mails thru outlook express, a plain smtp/pop3 method.

Recently, there was an attack, believe to be NDR attack, with hacker that made use of this exchange server to relay his/her mails. I can clearly see that hundreds of queues, with Sender address in - outsider_user_name@other_company.com.br, in the message queue.

How can I tighten the security against this kind of attack. It happened twice within one month's time.

I've some queries on 2 settings as follows:

      1. In ESM, Default Smtp virtual server -> Access -> Authentication, currently, only Anonymous and Integrated Windows authentication are ticked. Shall I tick Basic authentication, with basic domain stated?
      2. In ESM, Default Smtp virtual server -> access -> connection, ticked All except the list below; in the list is blank.
      3. in ESM, Default Smtp virtual server -> Access -> Relay, Relay restriction. Ticked Only the list below, in the list is blank. Ticked Allow all computer successfully authenticated to relay, regardless of the list above.

For number 3, shall I untick "Allow all computer successfully authenticated to relay, regardless of the list above, and then selective choose those overseas staff's user accounts for relaying mails OR untick the above 2 selections?

Any suggestion?
0
Comment
Question by:Balack
3 Comments
 
LVL 3

Expert Comment

by:qualchoice-it
Comment Utility
Hello, what you can do is under the Realy button inside SMTP Virtual Server Properties in Exchange, specify a range of internal IP addresses that are allowed to relay off your exchange server, I would un-tick the last box "Allow all computers which successfully authenticate to relay".
0
 

Author Comment

by:Balack
Comment Utility
Hi Qualchoice-it,

I made a mistake in the the previos mail:

   1. In ESM, Default Smtp virtual server -> Access -> Authentication, currently, only Anonymous and Integrated Windows authentication are ticked. Shall I tick Basic authentication, with basic domain stated?

The answer is YES, I've to tick "Basic Authentication" with basic domain stated. Or else external users can't send/receive mails.
0
 
LVL 65

Accepted Solution

by:
Mestha earned 500 total points
Comment Utility
NDR attacks are stopped by using recipient filtering and the tarpit.

If you have users who need to relay through the server, then your best option is to use the Users tab to control which users can do that, and ensure that Administrator is NOT listed on them. The administrator account is usually the one that is attacked.

Authentication settings on the SMTP virtual server will not make any difference, they are simply the type. Basic is required for SMTP transfer.

Simon.
0

Featured Post

Do email signature updates give you a headache?

Do you feel like all of your time is spent managing email signatures? Too busy to visit every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Join & Write a Comment

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
how to add IIS SMTP to handle application/Scanner relays into office 365.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now