Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: E-Mail relay or break in?

From: KBOGAC () ALLSTATE COM (Bogac, Kevin)
Date: Wed, 9 Feb 2000 11:28:27 -0600

I just resolved this issue on an Exchange 5.5 server earlier in the week.
Even if you set the IMC to not relay mail it can still be done via telnet.
This is the default setting. I connected to some other Exchange SMTP servers
my friends manage and found them to be wide open. The recommended fix is to
enable SMTP relaying and then restrict who can do it. We set it to only
authenticated users but it can be set to no one. With out this setting the
IMC appears not to check if relaying is allowed and just forwards messages
to the addressed recipient. After relaying this info to some friends I
understand this is also a problem on GroupWise and Lotus SMTP servers.

-----Original Message-----
From: Seth Georgion [mailto:sysadmin () SASSPRODUCTIONS COM]
Sent: Tuesday, February 08, 2000 8:56 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: E-Mail relay or break in?

Mid-day today, while logged in to my exchange 5.5 server at the console, I
recieved an E-Mail from myself to myself. Technically it was a "Just
Testing" kind of message from my Administrator account to my SysAdmin
account. Of course I never sent it and after further investigation I
discovered that the E-Mail was most certainly sent by telnet and then
subsequently, about a minute later, recieved by my copy of Outlook 2000.
Before anyone gives me anything about "Did I read my logs?" The answer is
yes and they indicate that the connection originated to and from my machine.
Let me preface the main question with the statement that this server has
been up for 30 hours and due to other crises around here has not had
mail-relaying disabled yet. My first assumption was that someone was
mail-relaying me and just forging the info but because I have a near
paranoid interest in logging Exchange stuff I was suprised to see that it
went beyond a simple forged E-Mail. My question is simply "Is this someone
creating a telnet session and forging an E-Mail and tricking out Exchange or
is this someone who has compromised my server and is now trying to gain
control of some E-Mail?"

Here's relevent logs.
Note: GATE is the name of the server, the ip address, 192.168.1.254 is
internatl because we use NAT pools.

Here are two Event Logs for it

SMTP connection to Exchange from the Exchange server itself

Date:   2/8/00  Event ID:       2000
Time:   3:14:42 PM      Source: MSExchangeIMC
User:   N/A     Type:None
Computer: GATE  Category: SMTP Interface Events

Description:
A new TCP?IP SMTP connectio has been recieved from host GATE
Logfile: L00000000.LOG

This is the Message transfer and description file.

Date: Above                     Event ID:       2002
Time:   3:14:43 PM              Source: Above
User: N/A                       Type: Information
CComputer: GATE         Category: Message Transfer

Description
A Message from <administrator () sassproductions com> in temporary folder
\imcdata\in\1QHMKPJ7 was recieved from GATE with 1 local recipients.

Here's the E-Mail as stored in imcdata.

â   ImCr        0

:Gr¿        GATE GATE <Administrator () sassproductions com>   c=US;a= ;p=SASS
Productions;l=GATE00020820141QHMKPJ7          O          ASS         8
8          <sysadmin () sassproductions com>  known  EwLsReceived: from GATE
([192.168.1.254]) by gate.sassproductions with SMTP (Microsoft Exchange
Internet Mail Service Version 5.5.2650.21)
        id 1QHMKPJ7; Tue, 8 Feb 2000 15:14:43 -0500
From: Administrator () sassproductions com
To: sysadmin () sassproductions com
Subject: This is a test mail

This is a test message...did I get it

And here is the log of what the person typed in word for word.

2/8/00 3:14:42 PM : A connection was accepted from GATE.
2/8/00 3:14:42 PM : <<< IO: |HELO 
|
2/8/00 3:14:42 PM : <<< HELO 
2/8/00 3:14:43 PM : >>> 250 OK

2/8/00 3:14:43 PM : <<< IO: |MAIL FROM:<Administrator () sassproductions com>
|
2/8/00 3:14:43 PM : <<< MAIL FROM:<Administrator () sassproductions com>
2/8/00 3:14:43 PM : >>> 250 OK - mail from
<Administrator () sassproductions com>

2/8/00 3:14:43 PM : <<< IO: |RCPT TO:<sysadmin () sassproductions com>
|
2/8/00 3:14:43 PM : <<< RCPT TO:<sysadmin () sassproductions com>
2/8/00 3:14:43 PM : >>> 250 OK - Recipient <sysadmin () sassproductions com>

2/8/00 3:14:43 PM : <<< IO: |DATA
|
2/8/00 3:14:43 PM : <<< DATA
2/8/00 3:14:43 PM : >>> 354 Send data.  End with CRLF.CRLF

2/8/00 3:14:43 PM : <<< IO: |From: Administrator () sassproductions com
To: sysadmin () sassproductions com
Subject: This is a test mail

This is a test message...did I get it
Previous By Date Next
Previous By Thread Next

Current thread: