On mySimon: North Face Elkhorn 0 Degree Sleeping Bag
BNET Business Network:
BNET
TechRepublic
ZDNet
39 TalkBacks

By Robert Lemos
Posted on ZDNet News: Nov 14, 2003 11:47:00 PM

Administrators of e-mail systems based on Microsoft's Exchange might have spammers using their servers to send unsolicited bulk e-mail under their noses, a consultant warned this week.

Aaron Greenspan, a Harvard University junior and president of consulting company Think Computer, published a white paper Thursday detailing the problem, discovered when a client's server was found to be sending spam. Greenspan's research concluded that Exchange 5.5 and 2000 can be used by spammers to send anonymous e-mail. He says even though software Microsoft provides on its site certifies that the server is secure, it's not.

"If the guest account is enabled (on Exchange 5.5 and 2000), even if your login fails, you can send mail, because the guest account is there as a catchall," he said. "Even if you think you've done everything (to secure the server), you are still open to spammers."

The guest account is a way for administrators to let visitors use a mail server anonymously, but because of security issues, the feature is generally not enabled. Exchange servers that had been infected by the Code Red worm and subsequently cleaned will still have the guest account enabled, Greenspan said.


Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

There are dozens of messages--with subject lines such as "Open relay problem" and "We are sending spam?"--on Microsoft's Exchange Administration newsgroup, sent by information system managers who haven't been able to staunch the flow of spam from their servers.

Microsoft, however, said the problem is relatively minor and that the company hasn't had many complaints.

"This particular method of sending spam relies on specifically configured servers or is leveraging weaknesses in the protocol itself," the software giant said in a statement issued in response to questions from CNET News.com. "The fact is that Microsoft has not received a lot of calls from customers that have experienced problems detailed by Think Computer."

Moreover, the company said the issue doesn't affect the latest version of the software, Exchange Server 2003.

Greenspan, however, argued that the problem has accounted for a large amount of unsolicited e-mail. He estimates that at least 100,000 messages spammers in China sent went through his client's server before he stopped the problem. He added that the issue is causing headaches for Exchange administrators.

"It is really inexcusable for a company that claims security is its top priority," he said.

SponsoredWhite Papers, Webcasts, and Downloads

  • Talkback
  • Most Recent of 39 Talkback(s)
Uhmm...
Before you go off ranting about sexual mutilations for stupid people, perhaps you should learn to spell.

Allow me to assist: administratOrs... (Read the rest)
Posted by: trogdor Posted on: 11/17/03 You are currently: a Guest | | Terms of Use
Trusrtworthy Balloney  michael-t | 11/14/03
RE: Trusrtworthy Balloney  ajapierce | 11/15/03
You only have yourself to blame here!  Mike Cox | 11/14/03
Ok  Ployd_Farker | 11/14/03
?  LinuxHippie | 11/14/03
This goes beyond stupid  LinuxHippie | 11/14/03
Put up or shut up  OhMyGosh | 11/14/03
HAHAHAHA  Some_one | 11/14/03
Fools, all of you..  Mike Cox | 11/14/03
LOL  george_ou | 11/14/03
Did you guys forget???  Hard Cider | 11/15/03
not sendmail this time  lmaxwell | 11/14/03
Sendmail had a problem?  B.O.F.H. | 11/14/03
BOFH?  Noneya | 11/15/03
re: not sendmail this time  Still Lynn | 11/14/03
yea sendmail sucks  Some_one | 11/14/03
RE: yea sendmail sucks  Noneya | 11/15/03
And there are people actually stupid enough to pay money for Exchange????  DonnieBoy | 11/14/03
because linux has a product that can even come  JoeMama_z | 11/15/03
and people say setting defaults to more secure will help  lmaxwell | 11/16/03
That's funny..  Patrick Jones | 11/17/03
Uhmm...  trogdor | 11/17/03
Gee.. Is this really even a flaw?  Delaware Boy | 11/15/03
re : Gee.. Is this really even a flaw?  lmaxwell | 11/16/03
My favorite line  Chad_z | 11/15/03
I don't seem to have a problem  JoeMama_z | 11/16/03
Fire the server admin  Suicida| | 11/15/03
Think Computer?  linxbot | 11/15/03
RE :software will never be perfect  lmaxwell | 11/16/03
It crashed my PC!!!  JoeMama_z | 11/16/03
We're a bit slow in Delaware.. But we eventually understand things..  Delaware Boy | 11/16/03
This is a non-issue...  tooner440 | 11/16/03
Just stop using MS products  FilledOut | 11/16/03
but...  JoeMama_z | 11/16/03
Overlooked Comment In Story  TLX | 11/16/03
All software requires maintenence  JoeMama_z | 11/16/03
Additional Issues  Harry Bardal | 11/17/03
my responce.  JoeMama_z | 11/17/03
admins  lmaxwell | 11/16/03

What do you think?

advertisement
advertisement
Click Here

White Papers, Webcasts, and Downloads

  • Smart Tech Expert advice on innovations in healthcare and the green technologies that make it happen. Find out more
  • Smart Business Discussion and advice on management issues that revolve around making your world smarter and more useful. More Smart Advice
  • Smart People The best and worst moves in the management and strategy trenches. Learn More