
Assuming you use Exchange, that is
By Robert Lemos
Published: 17 November 2003 07:50 GMT
Administrators of email systems based on Microsoft's Exchange might have spammers using their servers to send unsolicited bulk email under their noses, a consultant has warned.
Aaron Greenspan, a Harvard University junior and president of consulting company Think Computer, published a white paper last Thursday detailing the problem, discovered when a client's server was found to be sending spam. Greenspan's research concluded that Exchange 5.5 and 2000 can be used by spammers to send anonymous email. He says even though software Microsoft provides on its site certifies that the server is secure, it's not.
"If the guest account is enabled [on Exchange 5.5 and 2000], even if your login fails, you can send mail, because the guest account is there as a catchall," he said. "Even if you think you've done everything [to secure the server], you are still open to spammers."
The guest account is a way for administrators to let visitors use a mail server anonymously but because of security issues, the feature is generally not enabled. Exchange servers that had been infected by the Code Red worm and subsequently cleaned will still have the guest account enabled, Greenspan said.
There are dozens of messages - with subject lines such as "Open relay problem" and "We are sending spam?" - on Microsoft's Exchange Administration newsgroup, sent by information system managers who haven't been able to staunch the flow of spam from their servers.
Microsoft, however, said the problem is relatively minor and that the company hasn't had many complaints.
"This particular method of sending spam relies on specifically configured servers or is leveraging weaknesses in the protocol itself," the software giant said in a statement issued in response to questions from silicon.com sister site CNET News.com. "The fact is that Microsoft has not received a lot of calls from customers that have experienced problems detailed by Think Computer."
Moreover, the company said the issue doesn't affect the latest version of the software, Exchange Server 2003.
Greenspan, however, argued that the problem has accounted for a large amount of unsolicited email. He estimates that at least 100,000 messages spammers in China sent went through his client's server before he stopped the problem. He added that the issue is causing headaches for Exchange administrators.
"It is really inexcusable for a company that claims security is its top priority," he said.
Robert Lemos writes for CNET News.com.
This has been discussed recently on some SecurityF...
Mike Alexander
Put VPOP3 on the network as the first MTA. It is ...
adrian midgley
I would love to know what changes to make to ES5.5...
Brett Wilson
Please apply for the position by sending your application and CV to: hayscopenhagenextra@hays.com The focus is on the development of web enabled ...
Linux / Unix System Admin - London - Unix / Linux systems Administrators are required to work in a niche and rapidly expanding software house base in ...
If you would prefer not to receive further messages from Rullion, please reply to us at unsubscribe@rullion.co.uk and your details will be removed ...
Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.
Data Protection Strategies: Deduplication for More Efficient Backups
Dell PowerVault DL2100 Powered by CommVault - Spec Sheet
True Convergence Demands a Communication Service Provider that Embraces a Customer-Centric...
Learn how Performance Metrics for Telcomm Expense Management Drive new ROIs and SLAs
Stories from the web...
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
Mark Crichard Doing business with citizen developers: Beware the legal pitfalls Legal Eye: Make sure your business is protected from potential hazards
Tim Ferguson How CIOs can achieve post-recession success Q&A: McKinsey & Company on living in the 'new normal' business world