Re: E-Mail relay or break in?

[ryan () SECURITYFOCUS COM (Ryan Russell)]

On Tue, 8 Feb 2000, Seth Georgion wrote:

> Mid-day today, while logged in to my exchange 5.5 server at the console, I recieved an E-Mail from myself to myself. 
> Technically it was a "Just Testing" kind of message from my Administrator account to my SysAdmin account. Of course I 
> never sent it and after further investigation I discovered that the E-Mail was most certainly sent by telnet and then 
> subsequently, about a minute later, recieved by my copy of Outlook 2000. Before anyone gives me anything about "Did I 
> read my logs?" The answer is yes and they indicate that the connection originated to and from my machine. Let me 
> preface the main question with the statement that this server has been up for 30 hours and due to other crises around 
> here has not had mail-relaying disabled yet. My first assumption was that someone was mail-relaying me and just 
> forging the info but because I have a near paranoid interest in logging Exchange stuff I was suprised to see that it 
> went beyond a simple forged E-Mail. My question is simply "Is this someone creating a telnet session and forging an 
> E-Mail and tricking out Exchange or is this someone who has compromised my server and is now trying to gain control 
> of some E-Mail?"

The log makes it look not hand-typed.  Do you have any sort of script
someone might have hit to generate such a mail?  For example, some sort of
CGI mail script someone is poking at for holes?  Since the machine is
named GATE, does it also have an external interface with a routable
address?

                                        Ryan