Q
Problem solve Get help with specific problems with your technologies, process and projects.

Loophole for relaying spammers

We have an Exchange 2000 server running and our Internet Service Provider informed us that our server has been spamming lately.

We have:

Disabled open relaying
Checked that there are no open ports
Installed Symantec MailSecurity
Updated all necessary security updates/patches from Microsoft
Disabled Guest account

What other loopholes are there?

VIEW MEMBER FEEDBACK TO THIS ASK THE EXPERT Q&A.

The big loophole you have remaining is your password policy. I know that you are asking yourself "what does that have to do with spam?" Well, as it turns out, a great deal.

If a spammer can compromise a legitimate account in your company, it is possible for them to relay off of your SMTP servers using a SMTP AUTH attack. In simple terms, this means relaying mail (spamming) with a valid, albeit compromised, account.

The best protection against this is a strong password policy with strict enforcement of that policy. You might also consider implementing "passphrases" -- like 'You can't always get what you want' -- as they are easy to remember, yet extremely complex for a brut force attack to crack. Of course, if this has already occurred, then you need to enforce companywide password change, along with the stronger password policy.

I would also recommend that you periodically test your external SMTP host, with a tool such as telnet, to see if you can relay off it. This is important because you don't want to just take your Internet Service Provider's word for it. It is entirely possible that a spammer has hijacked your SMTP domain name and used it for sending out spam. Of course, if they do this, it looks like it came from your SMTP domain.

Doing an NSLookup on the IP address in the header of the spam will reveal, however, that it did not come from your servers. This is very common practice amongst spammers. And sometimes leads to the erroneous reporting of e-mail abuse to your Internet Service Provider. Most Internet Service Provider's will confirm that the mail is indeed from your servers before putting you on notice, but there is always that chance they won't do their due diligence.


MEMBER FEEDBACK TO THIS ASK THE EXPERT Q&A:

I ran into the same issue. I struggled to find how the spam was getting through for a long time. Finally, I had to call PSS at Microsoft. It turns out that there is an exploit/bug in Exchange 2000 server that spammers can use to send e-mail to nonexistent addresses. When they get the non-delivery report, they modify headers to send spam. The only way to turn it off is to turn off NDRs for the Exchange server.
—Dave K.


Do you have comments on this Ask the Expert Q&A? Let us know.
Related information from SearchExchange.com:

  • Tip: Passphrases and Exchange security
  • Reference Center: Spam prevention and management
  • Chapter Download: Would the real sender please stand up?


  • This was last published in June 2005

    Dig Deeper on Exchange Server setup and troubleshooting

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.

    -ADS BY GOOGLE

    SearchServerVirtualization

    SearchCloudComputing

    SearchSQLServer

    SearchEnterpriseDesktop

    SearchVirtualDesktop

    Close