Security Incidents mailing list archives
Re: Exchange/Microsoft SMTP Authenticated User spam?
From: Harlan Carvey <keydet89 () yahoo com>
Date: Tue, 14 Oct 2003 11:21:33 -0700 (PDT)
We've had two calls in the past month regarding supposed authenticated users sending out spam and using their external mail servers as relays. I was just curious if anyone else has seen this type of activity.
Similar activity was reported over on the incidents.org list. Sadly, the "incident response" seemed to be performing a Google search, rather than going to the boxes themselves and looking. In the case where someone did look at the boxes, his IR activities consisted of checking netstat, Task Manager, and then heaping on a considerable amount of speculation.
Has anyone seen any scripts that do this type of attack? Or has anyone else had this happen to them or someone they know? We would like to give our client a bit more information then 'change all your passwords.'
Changing passwords may not work. Someone needs to go to the boxes in question and perform some incident response. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Exchange/Microsoft SMTP Authenticated User spam? wirepair (Oct 14)
- Re: Exchange/Microsoft SMTP Authenticated User spam? Mike Lewinski (Oct 14)
- Re: Exchange/Microsoft SMTP Authenticated User spam? wirepair (Oct 14)
- Re: Exchange/Microsoft SMTP Authenticated User spam? Mark Webb-Johnson (Oct 15)
- RE: Exchange/Microsoft SMTP Authenticated User spam? Jerry Shenk (Oct 14)
- Re: Exchange/Microsoft SMTP Authenticated User spam? Harlan Carvey (Oct 14)
- Re: Exchange/Microsoft SMTP Authenticated User spam? Kee Hinckley (Oct 14)
- Re: Exchange/Microsoft SMTP Authenticated User spam? Peter Moody (Oct 15)
- Re: Exchange/Microsoft SMTP Authenticated User spam? Mike Lewinski (Oct 14)