Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

SMTP Server Relay Exploit

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Server Publishing >> SMTP Server Relay Exploit Page: [1]
Login
Message << Older Topic   Newer Topic >>
SMTP Server Relay Exploit - 13.Jul.2005 9:58:00 PM   
jamesprice3

 

Posts: 10
Joined: 25.Jan.2004
From: FL
Status: offline 		I am using ISA 2004 Ent Ed. to publish an internal SMTP server (NetIQ MailMarshal v6) which acts as a relay/spam filter for my Exchange 2003 system. All has worked well for 6+ months until today. Somehow the spammers of the world have managed to relay off my MailMarshal server by sourcing from the ISA internal interface. Since MailMarshal allowed any internal server to relay this effectively created an open relay through which some 90K+ messages were sent. I've corrected the problem (thanks to NetIQ Support) by by excluding the ISA internal interface from the allowed relay range.

My question is how did this happen? My SMTP publishing rule is configured to forward requests so they appear to come from the original client NOT from from the ISA Server. If this were reversed then I could easily understand how this happened. What am I missing?
Post #: 1
RE: SMTP Server Relay Exploit - 13.Jul.2005 10:51:00 PM   
isawader

 

Posts: 420
Joined: 27.Apr.2005
Status: offline 		If you used IIS SMTPSVC instead of NetIQ, you could've avoided this problem. I've been running the exact setup like you do. I have ISA sitting infront of IIS SMTPSVC, which runs spamfilter. SMTPSVC then relays to exchange 2003 in the back end. We haven't had any problem. My guess is that NetIQ smtpsvc wasn't properly configured for preventing the relaying.

(in reply to jamesprice3)
Post #: 2
RE: SMTP Server Relay Exploit - 14.Jul.2005 12:27:00 AM   
tshinder

 

Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi James,

One or more hosts on your internal network is wormed. The external user couldn't spoof their source address as the internal interface of the ISA firewall, because the spoof detection mechanism would have dropped it it the connection request arrived on the external interface.

HTH,
Tom

(in reply to jamesprice3)
Post #: 3
RE: SMTP Server Relay Exploit - 14.Jul.2005 1:25:00 PM   
ClintD

 

Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline 		The problem I see with this whole thing is that the SpamMarshall should not be configured to relay to all domains - it should only be configured to relay to your SMTP domain. It should accept connections from anyone, but relay only to the SMTP domain you use.

[ July 14, 2005, 01:26 PM: Message edited by: ClintD ]

(in reply to jamesprice3)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Server Publishing >> SMTP Server Relay Exploit Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts