FYI: Keep those passwords alphanumeric... spammers use a new tact torelay

[Susan Bradley, CPA aka Ebitz SBS Rocks [MVP]]

Passing this along....

http://www.sbsfaq.com/news/getArtic...40A459B27C5FF7E6840000B1E572030000&path=News/

I've been investigating this week how one of my customers was used as a
spam
relay host - even though they are not an open relay host. It's a
detailed
issue and according to a number of other sources is a new method the
spammers are using to "sell their products". I've written up an article

(rather than post something too long here) and posted it on
www.sbsfaq.com
if your interested.

I'd be interested to hear feedback on the people who have seen this
attack.

Regards,
Wayne Small [SBS-MVP]
MCSE+I MCSE 2000
Technical Director - Correct Solutions Pty Ltd
For all the answers on Small Business Server 2000 - check out
www.sbsfaq.com


-----------------------------------------------------
And I also got this email.....

Recently we released ORF version 1.2 which automatically whitelists
emails which are sent from authenticated sources.
In the past few days we have received numerous emails
from our
users complaining about unauthorized spam mail relaying
via
their servers.
After investigating these events we found that the
spammers are
using a new technique for finding relay servers. They
get a valid
username/password for the server and use that account to

relay their mail through.
More information about the issue and the prevention for
it can be
found here:
http://www.vamsoft.com/orf/authattack.asp
Sincerely,
Gyula Karakas, CEO
Vamsoft Ltd.
http://www.vamsoft.com

--
"Don't lose sight of security. Security is a state of being, not a
state of budget. He with the most firewalls still does not win.
Put down that honeypot and keep up to date on your patches. Demand
better security from vendors and hold them responsible. Use what
you have, and make sure you know how to use it properly and
effectively."
~ Rain Forest Puppy

http://www.wiretrip.net/rfp/txt/evolution.txt

 

[Cherry Qian]

Hi Wayne,

Thank you for the information posting. As for more information on
preventing mail relay, please refer to the following knowledge base
articles:

310356 HOW TO: Prevent Mail Relay in the IIS 5.0 SMTP Server in Windows 2000
http://support.microsoft.com/?id=310356

310380 HOW TO: Prevent Exchange 2000 from Being Used as a Mail Relay in
Windows
http://support.microsoft.com/?id=310380

Hope the above information and suggestion helps and answers your question.
Meanwhile, we will keep close watch on the simiar issues and keep you
posted.

have a nice day!


Sincerely,

Cherry Qian
MCSE2000, MCSA2000, MCDBA2000
Microsoft Partner Online Support


Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please Reply to Group via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided AS IS with no warranties, and confers no rights.

 

[Cherry Qian]

Hi,

Thank you for the posting again. As you indicated the spam are now using
other means. We will keep close watch on this and perform further research.

Meanwhile, you can try to configure relay restrictions in the registry,



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Service\MSExchangeIMC\Parameters


The following examples outline the value, the data type, and the function
the value performs. After you make the changes, stop the Internet Mail
Service, and then restart it.


- RelayFlags, REG_DWORD

Defines which relay control rules are in effect.

- RelayDenyList, REG_MULTI_SZ

Specifies hosts that cannot relay messages through your server.

- RelayAllowList, REG_MULTI_SZ

Specifies hosts that can relay messages through your server.

- RelayLocalIPList, REG_MULTI_SZ

Specifies the local IP addresses of the server that an SMTP client can
connect to and relay mail. This is useful for multi-homed servers that
have internal and external interfaces. Enabling IP forwarding disables
this feature.


NOTE: RelayDenyList, RelayAllowList, and RelayLocalIPList consist of a net
address and optional mask per line. Order is not important in these lists.
Each line consists of two parts, the net address and the mask, separated by
a semicolon. For example:


Net[;mask]


If the mask is omitted, the default used is 255.255.255.255.


A net address matches a rule if the bitwise-AND of the IP address and the
mask equals the net. That is:


(IP Address AND mask) = net


For example:


- To add net 192.168.0.0 to a list, add the following line to the list:

192.168.0.0;255.255.0.0

- To add the host 192.168.1.17 to a list, add one of the following lines to
the list:



192.168.1.17;255.255.255.255


- or -


192.168.1.17




What follows is the logic that is used to determine if the client can relay
mail. If none of these statements apply, the client is not allowed to relay
mail.

For more information and further suggestion, please refer to the following
articles for more information and suggestion:

199656 XIMS: How to Stop Spam Mail Messages from Using IMS Relay Agent
http://support.microsoft.com/?id=199656

279860 XFOR: How to Stop Internet Mail Service from Relaying Junk E-mail
http://support.microsoft.com/?id=279860

If you are in SBS environment, please try this:

324958 HOW TO: Block Open SMTP Relaying and Clean Up Exchange Server SMTP
http://support.microsoft.com/?id=324958

Hope the above information and suggestion helps and answers your question.
If anything is unclear, please let me know.

Sincerely,

Cherry Qian
MCSE2000, MCSA2000, MCDBA2000
Microsoft Partner Online Support


Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please Reply to Group via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided AS IS with no warranties, and confers no rights.