Mail Server Flaw Opens MS Exchange to Spam 487
bl8n8r writes: "
Exchange 5.5 and 2000 can be used by spammers to send anonymous e-mail. He says even though software Microsoft provides on its site certifies that the server is secure, it's not.
There are dozens of messages--with subject lines such as 'Open relay problem' and 'We are sending spam?'--on Microsoft's Exchange Administration newsgroup, sent by information system managers who haven't been able to staunch the flow of spam from their servers. 'It is really inexcusable for a company that claims security is its top priority,' he said." If you are using vulnerable versions of Exchange, and have been hit by a Code Red variant, you may want to insure your 'guest' accounts are still disabled.
Finally, linux integration for me! (Score:2, Interesting)
Read the fine article. (Score:5, Insightful)
To put it bluntly: Administrators who do not secure servers after a virus infection are not the victims of a Microsoft security hole, but the cause of this particular problem.
Quote: "The guest account is a way for administrators to let visitors use a mail server anonymously, but because of security issues, the feature is generally not enabled. Exchange servers that had been infected by the Code Red worm and subsequently cleaned will still have the guest account enabled, Greenspan said. "
Re:Read the fine article. (Score:4, Funny)
Re:Read the fine article. (Score:3, Interesting)
No kidding. As a former Exchange admin, POP/SMTP/... support -- or at a bare minimum an upgrade to Exchange 2000 -- is exactly what I do want so I can stop using that damn Outlook Web Access (OWA).
I've asked multiple times if they have plans for any upgrade -- I've sent links to alternatives, asked if Exchange 2000 was planned -- and get no response from corporate except "onl
Re:Read the fine article. (Score:3, Informative)
Version 1.4 of the connector was recently released to support exchange 2003
Re:Read the fine article. (Score:5, Interesting)
Re:Read the fine article. (Score:5, Insightful)
Real exchange admins already know all this. The people being hit by this "vulnerability" are the same morons who got hit by Code Red. That should tell you something.
Re:Read the fine article. (Score:5, Insightful)
Yes. That the generally accepted argument behind the 'Windows has a lower TCO than Unix' argument (that Windows admins are generally cheaper than Unix admins) is utter bollocks if you actually want a secure system that won't get your mail rejected by approximately a quarter of the internet.
Re:Read the fine article. (Score:3, Informative)
Then configure exchange not to allow the guest account to send email. Yes, you can set exchange to disallow sending email on a user by user level.
Real exchange admins already know all this. The people being hit by this "vulnerability" are the same morons who got hit by Code Red. That should tell you something.
Hey Mr Insightful Exchange Admin, maybe you could read posts you reply to? The poster said they wanted to let the guest account send mail and your response is to make the guest account unable to
Re:Read the fine article. (Score:4, Informative)
Re:Read the fine article. (Score:4, Funny)
OK, I eventually got that for most people, it was probably turned on by a Code Red infection.
I'm still curious about what potential purpose such an account would serve though? Is it necessary for internal housekeeping or something?
which you would know if you had bothered to read more than the one comment you were replying to
What, you mean that as well as R'ing the F'ing A, I'm also obliged to R *all* the F'ing C's as well?
You are joking, right?
Re:Read the fine article. (Score:4, Funny)
"No, it's turned off by default"
OK, I eventually got that for most people, it was probably turned on by a Code Red infection.
I'm still curious about what potential purpose such an account would serve though? Is it necessary for internal housekeeping or something?
"which you would know if you had bothered to read more than the one comment you were replying to"
What, you mean that as well as R'ing the F'ing A, I'm also obliged to R *all* the F'ing C's as well?
You are joking, right?
Nope, to earn the right to post on Slashdot, you must read every comment, the whole article and all the links. Then you should read the man pages for every *NIX, the whole of Microsoft Technet, and all of the RFC's. That done, you may return to post. What you say?! Discussion archived? Oh well, reading all that will be much better than Slashdot, and you'll probably outgrow posting here by then, too. :)
Re:Read the fine article. (Score:3, Informative)
Please read the article. This is not a flaw in exchange, but a flaw in the server configuration. The feature is generally disabled but might have been enabled if the server in question had been infected with a virus.
To put it bluntly: Administrators who do not secure servers after a virus infection are not the victims of a Microsoft security hole, but the cause of this particular problem.
Quote: "The guest account is a way for administrators to let visitors use a mail server anonymously, but because of s
Re:Finally, linux integration for me! (Score:3, Insightful)
So, I have been using outlook with codeweaver's crossover office (http://codeweavers.com/site/products/cxoffice/), which you are no doubt aware of, but if you haven't tried it, it is awesome. While not perfect, it certainly beats the other options of getting exchange mail on a linux desktop (term serv/rdesktop, outlook web access, dual booting, etc), and the small amount of money (~$60) is well worth it
Re:Finally, linux integration for me! (Score:3, Informative)
Re:Finally, linux integration for me! (Score:2)
Re:Finally, linux integration for me! (Score:2)
I'm still trying to figure out a way to politely ask IT to turn it on, without letting it be known that I'm not using Windows.
p.s. I have permission to use FreeBSD at work, and IT doesn't "own" my system. But why provoke them unnecessarily?
Re:Finally, linux integration for me! (Score:3, Interesting)
Second or Third time (Score:5, Insightful)
But, then again, this is the same company that testified under oath that reveling the Windows source code would harm the National Security of the US. Then they licensed the source code to China.
Re:Second or Third time (Score:2, Insightful)
The versions of exchange that are 'vulnerable' are 5.5 and 2000.
They're vulnerable mostly because of a virus that hit in 1999 that affected admins who didn't know what they were doing in the first place, probably because they stole their copy of windows.
You're going to hold MS responsible for the acts of people who have no business administering a server, 3 years after the product was FIXED?
Re:Second or Third time (Score:4, Interesting)
besides, ms argues that anybody can be an administrator. they can't argue that and say that security is their top priority(or, they can, but they'll be bullshitting in one way or another).
also they provided a tool that was supposed to check if you were compromised, yet it didn't(so even competent admins could have fallen for it IF they trusted ms, and if you don't trust the guys that provide you a properiaty os, who the hell are you going to trust?).
Re:Do not go too far... (Score:2)
No? Oh well.
Re:Finally, linux integration for me! (Score:2)
Ensure (Score:2, Interesting)
Re:Ensure (Score:2)
Re:Ensure (Score:3, Informative)
Re:Ensure (Score:3, Funny)
indemnity? (Score:4, Insightful)
Re: indemnity? (Score:5, Funny)
> Is microsoft indemnifying its customers against problems like this? I know that indemnity has been a big keyword of theirs lately and I'd just like to be certain that I can get indemnified if something like this happens. I mean, that's the advantage of going with a big, closed source company right? It's the indemnity.
Yes, they agree to only charge you one license for the unauthorized use of 'guest', no matter how many spammers are actually using it.
They also agree to send someone to show your PHB some overdecorated ppt slides about how secure their software is, if incidents like this have him thinking about switching to another software supplier.
This Just In... (Score:5, Insightful)
Granted, the bigger question is why is there a guest account at all, since you're not supposed to ever enable it.
Re:This Just In... (Score:3, Insightful)
Of course, this was in early 2000, and it was mostly to achieve win98 compatibility. These days I'd probably find a much better way to do it.
The original point stands, though: this isn't a bug in exchange, it's yet another example of stupid administrators causing problems for the rest of the world.
guest accounts (Score:5, Insightful)
Why on earth does a guest account even EXIST anymore????? I would think it is obvious that guest access on any machine is a bad thing.
Exchange servers that had been infected by the Code Red worm and subsequently cleaned will still have the guest account enabled, Greenspan said.
Was code red really just a tool for spammers?
Or Default Passwords...? (Score:3)
The system should at least make you do a security question, or *something*. Even "type your last name to gain Administrator access" would be more secure than "Admin".
The bottom line is, any sysAdmin who buys a software package because it's got a "security guarrentee" needs to be hit in the face with a hammer, repeatedly.
Re:guest accounts (Score:5, Insightful)
Re:guest accounts (Score:4, Interesting)
Re:guest accounts (Score:3, Interesting)
Re:guest accounts (Score:3, Informative)
Still, the folks writing worms (so far) don't exhibit signs of being particularly knowledgeable about Windows. They're basically script kiddies who dare to break out Notepad and fiddle around a bit. I don't know of any source of statistics for failed worm writing attempts, so who knows what the ratio is of wannabe worm authors vs the ones who manage to make one that works.
My point is that even though a given security measure can be defeated by a determined & informed attacker, it
Re:guest accounts (Score:3, Funny)
No, but I've typed 'Administraitor' before... :)
Guest Accounts (Score:5, Interesting)
Many organizations are decentralized, without an IT Gestapo to dole out accounts and enforce the "One True Way".
In many cases, multiple organizations need to collaborate and share information in order to pursue common goals.
In other words, I may wish to share information and resources with other people, even members of the public, without requiring them to have an account on the system.
If I wanted perfect security, I would encase the computer in concrete and dump it in the ocean.
Re:Guest Accounts (Score:3, Informative)
Using the guest account is probably the worst way that I can think of to share files... oh wait, I just thought of a worse one -
Re:guest accounts (Score:3, Interesting)
Having an user with no privileges whatsoever (at least in theory) is a very handy convenience.
Are you INSANE? (Score:4, Interesting)
I'm working for a company that's deeply in MS's back pocket -- we use Windows *everything*, including Exchange. Our SMTP gateway? Postfix on Linux. Sure, I'd rather it was OpenBSD, but whatever -- it's still not Exchange.
The bloatier the app, the harder it is to ensure it's secure. These are probably the same sort of people who run SQL Server on an unfirewalled system and are then shocked someone managed to hack into it.
Re:Are you INSANE? (Score:2, Insightful)
Find me a linux app that integrates with the most popular and widespread office suite in the world, that allows me to assign tasks, share calendars, keep track of documents/revisions, and has a zero learning curve for the entire office staff that's already standardized on a
Re:Are you INSANE? (Score:2)
grep awk sed & bash
Re:Are you INSANE? (Score:5, Insightful)
> and say "show me all of the messages sent through server x that were
> to or from user y", and then print the results with "to", "from",
> "subject", and delivery status?
>
*application*? You're joking, right? This is a shell one-liner ffs...
$ grep logfile [serverIP] | grep userX | grep userY | awk '{$2 $4 $6 $8}'
- off the top of my head, and without sight of the logfile format, but that's roughly how you'd do it. And thanks to the power of the GPL, some nice people have actually written software to allow you to do this on Windows (namely, Cygwin [cygwin.com]) and it's available now, free of charge.
You're welcome.
RTFA (Score:2, Insightful)
Open realys are not a big problem? Right.
What Microsoft really means we are making money on it so it's not a problem shut up and go away and leave us alone.
Re:RTFA (Score:2)
Three words... (Score:3, Informative)
Re:Three words... (Score:3, Insightful)
Buy a Mac! ;)
Guest account (Score:3, Informative)
after disabeling guest to rename both accounts to somthing hard to guess.
It might shock you but on my Linux boxes the superuser is not called 'root' either.
Re:Guest account (Score:2, Insightful)
Re:Guest account (Score:2)
This really suprises me, because in theory, one shouldn't need read-access to that file. I just tried to chmod 600 /etc/passwd and I had linux complain, there really should be a workaround to disable passwd from being readable, because it IS a security risk...
Do a Google for password shadowing. Rinse and repeat.
password shadowing (Score:2)
man 5 shadow
Re:password shadowing (Score:2)
For sure, but it becomes rather difficult to perform a dictionary attack on the password hashes if they can't be read. That is the hole which shadowing plugs.
Re:Guest account (Score:4, Informative)
1. you have to login to the machine to read
2. the standard root-kits just assume it's called root.
Issue with 5.5 not with 2000 (Score:4, Informative)
If you are running Exchange 5.5 you shouldn't be wasting time locking it down... Your hours would be better spent opening ports on your firewall or something, because 5.5 is so old and underupdated that it more efficient to work on a new mail server with new software.
I'm not even in the slightest surprised (Score:2)
More FUD for the Linux Side (Score:4, Insightful)
Here I thought /. was the source for fair and balanced coverage.
Must be a slow news week when a college kid can get the media's attention because he decided to point out the obvious.
Re:More FUD for the Linux Side (Score:4, Funny)
Will probably do better for MS advocacy (Score:3, Insightful)
Re:Will probably do better for MS advocacy (Score:3, Insightful)
I mean hell, you don't so much admin exchange as wrestle with it(although this might have changed).
And realistic criticism pretty much amounts to: Hire someone with experience, good references, who knows their stuff and the only difference in security is going to be employment cost versus sunk cost.
There is no remote MS flaw that can't be worked around to my knowledge, and th
Re:Will probably do better for MS advocacy (Score:3, Interesting)
That's not possible w/Windows.
(For example, chroot jails to limit exposure, etc.)
Re:More FUD for the Linux Side (Score:2, Informative)
Re:More FUD for the Linux Side (Score:2)
A simple login 'failure' only locks them out from a single user account. If they can authenticate on any of the other accounts, they're still a logged in user. If the guest account is active, they'll be able to authenticate, and viola.
If you actually know what you're doing with Windows, you disabled that account years ago.
Re:More FUD for the Linux Side (Score:2)
As "fair and balanced" as that other fair and balanced news source anyway.
Re:More FUD for the Linux Side (Score:3)
I can easily see how many people would simply RTFA on how to remove it, not read anything about it re-enabling the guest account, and simply think they are okay.
After a quick read of the Symantec removal steps, they did not include anything about
I've never had a problem... (Score:4, Insightful)
As far as open relays go, it actually pains me to have to close them off. I'd rather leave them open and help people out when their ISPs are dicking them around. Unfortunately a few assholes are ruining it for everyone else.
Hmmmm. (Score:3, Insightful)
Re:Hmmmm. (Score:2)
If you leave the guest account activated (Score:3, Insightful)
Also, The guest account is disabled by default.
Saying exchange servers may be relaying because of this 'bug' is like saying linux is insecure because you can set a blank root password and enable sshd to accept connections as root.
News Flash! (Score:3, Insightful)
Balance (Score:2, Insightful)
And please stop quoting out of context, it was always said the focus on security was for new products. Exchange 5.5 is hardly a new product. Find a problem in Exchange 2003 and then you can complain.
Re:Balance (Score:2)
You will always need to upgrade software, you will always need to patch it, the only real difference is MS charges you for it every few years.
anyone running an exposed exchange box......... (Score:2)
Simple problem, simple fix (Score:5, Informative)
The attacker simply finds a frequently used account such as 'guest' and guesses a few passwords on it. This is classic account/password compromise, nothing more. Once the spammer is 'authenticated' they are free to relay. They could have also guessed any real user's password, the effect would be the same.
Re:Simple problem, simple fix (Score:4, Informative)
This is 90% correct. It's important to understand the function of the "Guest" account in Windows. It allows any user, using any login name, and any password, to authenticate. Enabling the "Guest" account does not allow the username "Guest" to login specifically, it enables any username, which does not match an existing user in Active Directory or the local SAM to authenticate.
Clearly this is a security vulnerability, and why the Guest account ships in the disabled state. It would be very nice if Windows would warn you when you enabled it, and made an attempt to explain the implications of doing so.
With regards to attempts at guessing SMTP AUTH passwords, this has been happening lately. One caveat is that one a Linux box it can be difficult to enumerate the usernames, while on a Windows box (AD/NT/workstation) it is usually quite easy <insert obligatory firewall statement here>.
Re:Simple problem, simple fix NOPE (Score:2, Informative)
the article says:
"If the guest account is enabled (on Exchange 5.5 and 2000), even if your login fails, you can send mail, because the guest account is there as a catchall,"
The Pseudo CNET FUD continues... (Score:4, Insightful)
I agree it's a potential issues, but FFS this is 90% (again) a problem with the system admins, not Microsoft. Remember the recent spate of SSH issues - I know a handful of companies who got fucked by that because their admins had poor root passwords and didn't keep up with security issues. I do however agree that it should probably be removed (note that guest is off by default in Windows Server 2003).
We need less dickheads running IT. It's not that hard to build secure solutions regardless of what platform you choose - you just need to know what you are doing.Companies need to grill their staff better at interviews and follow their performance.
My 2 cents...
Please... (Score:2, Insightful)
Also, what software at Microsoft says it's secure? The only thing I can think of is MBSA [microsoft.com] and that pretty much just tells you if you have all patches installed. Notice how Exchange 2003 doesn't suffer from this problem. Also, it relies on a misconfigured server or a server that was previously infected from code red. This feature is off by default. IMHO,
Turn off SMTP AUTH (Score:3, Informative)
What is the big deal?
It looks like thinkcomputer has an ulterior motive "Microsoft telephone support is not available without the risk of paying a relatively high per incident fee. Therefore, we recommend contacting Think Computer via e-mail at info@thinkcomputer.com for more information about the issues discussed in this White Paper."
Exchange flaw my ass (Score:3, Insightful)
Um, excuse me? Any idiot with more than 7 days experience administering a Windows server should know that the Guest account is BAD BAD BAD.
By definition "Guest" doesn't require successful authentication to access resources. The entire reason "Guest" exists is to provide un-authenticated access to resources.
I can read bugtraq as well as anyone else, so I'm aware of the past history Microsoft has with the security of its products. However, no sane person could reasonably attribute this "flaw" to Microsoft software. A more apt description is "Flaw in MS Exchange 5.5 and 2000 Administrators".
I mean really. It's like setting a Windows Domain Administrator account password to "Administrator" or "password" (another major cause of Exchange-based spam. Grep USENET and MS KB's for UI).
No software yet written or ever to be written in the future can make up for mistakes, oversights and sometimes just plain stupidity of humans.
Insure? (Score:2, Informative)
What insurance policy would that be on sir?
I think you mean "you may want to ensure..."
security != lots of patches (Score:5, Interesting)
..Exchange servers that had been infected by the
Code Red worm and subsequently cleaned will still have the
guest account enabled...
Does cleaned mean that a MS service pack forgot to close the holes or even opened a new security hole? Either way, in the light of MS's so called security initiative the result is unacceptable.The argument that moron administrators forgot to do something misses the point. Microsoft should know that most administrators don't have the time, training or resources available to discover and understand all the OS settings required to secure their servers. That's why vendors who sell secure systems set strict default settings. A real security initiative would lock down the OS a tight as Guantanamo Bay, but MS rightly fears that would alienate their customers.
Early on MS's goal was market share and control. They targeted 'ease of use' and adopted a policy of tight integration between the OS and applications, including massive auto-enabling (by default!) of applications via application data like documents, e-mails, etc. The result is that the current Microsoft server is merely a single user system on steroids. Even with their previous Internet initiative (which basically produced a free embedded browser and a lot of service packs) the MS OS still suffers from the single user mindset. Witness all the 'way too friendly' default settings on most Microsoft systems. It worked (mostly) fine when the PCs were all in one office connected by a sneaker net (the viruses just spread slower via floppy). But now in the Internet age they're paying the price.
As Bruce Schneier says: security is a process not a product. Until that process becomes part of MS's corporate culture, don't expect much security from Microsoft. Gates may be trying to change that, but given their history of going after market share and their foundations of sand, it's gonna take a long time.
Re:security != lots of patches (Score:3, Insightful)
Are you smoking crack? Isn't it an administrators *JOB* to know how to do this?
And everyone wonders why IT departments are getting shipped overseas - people think they can be an administrator and not know how to do anything. If I'm going to hire a
Very misleading... (Score:3, Insightful)
Re:Just like sendmail (Score:2, Troll)
Re:Just like sendmail (Score:2, Insightful)
Windows would actually be a decent product if Microsoft could successfully copy the good unix stuff instead of doing perfect copies of it's flaws and flawed copies of the stuff that works.
Re:Just like sendmail (Score:3, Informative)
If by ancient history, you mean September 2003 [slashdot.org], yeah sure, Sendmail holes are ancient history.
Re:Actually not just MS (Score:5, Insightful)
If thats not the case, well, what you're saying makes no sense.
Re:Actually not just MS (Score:5, Insightful)
Turns out its actually a problem in SMTP's RFC
Have you actually read RFC 821 [faqs.org]? If so, perhaps you could point out exactly where the functionality of the guest-level account is specified? Or are you just talking out of your arse?
Re:Actually not just MS (Score:5, Informative)
It wouldn't be mentioned in that RFC as I believe that was written before any form of user authentication was part of SMTP. AUTH SMTP is described in RFC 2554 - SMTP Service Extension for Authentication [faqs.org] however it doesn't mention anything about a "guest" account specifically, just "accounts".
Modern SMTP mail systems are based on a number of RFC's - 2234, 1869, 1891, 2119, 2222, 2476, 2195, 821, 822
seriously... (Score:2, Insightful)
Re:remember the game defender? (Score:2)
Re:Sweet (Score:2, Funny)
actually, given the track record of sendmail on the security front i think i'm just going to keep quiet about this one....
Re:Sweet (Score:2)
And how does that compare with postfix, eh?
Re:Just in: server hacked by year-old-worm vulerna (Score:2, Insightful)
I just submitted these...stay tuned
Re:Same applies to most Linux/Unix servers!!!! (Score:2)
I don't really see your point. Postfix and sendmail, two commonly used mail servers on linux and unix also, if not correctly administered, allow SPAM to be forwarded through them as well.
Ah, my child, but they are not Micro$oft products. Therein lies the nub of the matter, the delineation between yin and yang.
Re:A pedant speaks (Score:2)
Re:A pedant speaks (Score:2)
Re:Microsoft simply cannot do it. (Score:3, Informative)
Not to mention that every software intallation or update creates a new system for all practical purposes, because every thing is so tightly integrated, and interdependent it's no wonder that simple changes have system-wide unintended side effects.