Help | Site Map
| Text size: - +
(Answer) (Category) SpamCop FAQ : (Category) Help for abuse-desks and administrators :
But my server is secured against relay...

It is becoming increasingly common to see spam being relayed through servers that have all relaying options disabled. Why? Because your server thinks the spammers are authorized users. The spammers are authenticating — they are coming up with valid user names and passwords.

Any server that has authentication (SMTP AUTH) enabled can potentially be compromised in this way.

For example, by default, Microsoft Exchange 5.5, 2000, 2003 and the Exchange server with IIS/5 set up a guest account. This allows anyone to connect to and use the server. Even if you have set up "require authentication" (meaning the user must supply a username and password) the guest account will allow the user to send mail through the server even if their login fails.

The most commonly exploited accounts are admin, administrator, guest, test, demo and webmaster, although any account with a weak or missing password is vulnerable.

Spammers have "bots" that make repeated attempts to authenticate, using a set of default and easy-to-guess username/password combinations.The most common combinations are guest/guest, admin/admin, test/test and demo/demo, and there are sites that list many default username/password combinations, so it's not hard to build a list to try.

Spammers also use software (spamware) that allows brute force username/password guessing. This heavy duty software cycles through a bunch of common usernames and passwords, hoping to hit a match that works. If they get one that works, they effectively have an open relay.

Some sample usernames and passwords that are known to be used by at least one spammer:
Usernames: webmaster, admin, root, test, master, web, www, administrator, backup, server, data, abc

Possible common passwords: ${username}, ${username}12, ${username}123, 1, 111, 123, 1234, 12345, 123456, 1234567, 12345678, 654321, 54321, 00000000, 88888888, admin, root, pass, passwd, password, super, !@#$%^&*
as well as each user name with a blank password.

(Data acquired from ROKSO, the Register of Known Spam Organizations.)

The exploit works like this:

Encoding to Base64 is left as an exercise to the reader.

An ounce of Prevention:

  1. Make sure you have disabled the "guest" account.

  2. Make sure you have removed or renamed all default accounts or have changed the default passwords on any of these accounts that you keep.

  3. Make sure your users select good passwords. In particular, make sure users don't use the same name or word for both the username and password, i.e., admin/admin. Make sure passwords such as "password" don't exist.

    Review the list of the most common passwords at http://geodsoft.com/howto/password/common.htm. Set up a file that will not allow these passwords to be used or run a script that compares users' passwords to the list of common choices. Reset any that are easy to guess.

  4. Check out Securityfocus.com to make sure you are not open to the Microsoft Exchange Server Buffer Overflow Vulnerability.

  5. Ensure you are not a victim of the known "null session" exploit - see Bugtraq for details.

  6. With all Microsoft Windows products, make sure you have installed all cumulated service patches and updates available at the Windows Update page.

  7. Turn off authentication (SMTP AUTH) unless it is necessary that you have it enabled. Disabling SMTP AUTH will allow only mail sourced internal to your network to be sent (i.e., from authorized IP addresses).

We see Microsoft Exchange 2000 and 2003 being compromised often because these servers install a guest account and also default to SMTP AUTH enabled.

For More Information

Two excellent plain English articles on this subject are available at Windows IT Pro Network:

"A New Kind of Attack" (Oct. 9, 2003) ( http://www.winnetmag.com/article/articleid/40507/40507.html)

"Exchange Server SMTP AUTH Attacks" (April 20, 2004) ( http://www.winnetmag.com/article/articleid/42406/42406.html)

Microsoft provides good information on testing your server and logging events to find the account that is being compromised. (http://support.microsoft.com/default.aspx?scid=KB;EN-US;324958)


[Append to This Answer]