Wednesday, August 29, 2012

A mysterious email beware!

Over the last 10 years we have made the switch from letter and phone correspondence to email overload.


Since email is so prevalent, email administration is critical.

As email has proliferated, spam and spyware has increased. Many email servers have been compromised by the ability of an email server to receive email from an unknown sender and then
sending it on to a recipient or recipients, which could number in the thousands, that are
not users of that email system.

The protocol responsible for relaying is called SMTP or Simple Mail Transfer Protocol. This protocol belongs to the TCP/IP family and is used by email servers to transfer email from the senders email server to the recipient or recipients’ email server or servers.  The default port that it works on is port 25.

 SMTP is used to relay email from the host to the recipient’s email
server.  A company that has an open relay can caused spam related issue,
so closing this loop and controlling relay is critical.  This is done in different ways
depending on the email server platform.   To get a detailed explanation of the SMTP protocol and how it works see the Internet Engineering Task Force’s (IETF) Request for Comments (RFC) 821 and 822
located at www.ietf.org.

You can check for relay by telnet to your email server using the following command:

telnet [server name] [port number]
The server will reply with a 220 message indicating that it is ready.  Other commands
that you can use are HELO, MAIL FROM:, and RCPT TO.
The greatest threat comes in the form of Unsolicited Commercial Email (UCE) or SPAM.
Besides being very annoying SPAM has been and is becoming a very big problem, with
some very serious side effects, for the Internet community.   It has become such a
problem that the IETF released RFC 2505 “Anti-Spam Reco


Sending a large amount of SPAM , it could cause a
Denial of Service (DoS) situation where the server is over loaded and can not process valid email.    Also if the server has  issues processing email, the hard drive can fill up causing server to crash.

One of the side effects of having an open relay and sending spam is getting black listed. The two domains that blacklist companies are Comcast and Barracuda networks. You illegitimate email will not get delivered and subsequent user complaints will follow.  You will have to go through a process of rectifying the SPAM issue then requesting to be removed from domain blacklist.  These blacklist
databases are used by many organizations to block UCE from getting into their email
systems.  Two well-known organizations are Open Relay Behaviour-modification System
(ORBS) and Mail Abuse Prevention System(MAPS).  More information about these two
organizations can be found at www.orbs.org and www.mail-abuse.org respectively. This
can start to cause you as the email administrator some serious problems with your users
as they will be unable to send their email to any of the domains that has your server on
their blacklist.

Another serious issue related to this problem is spam email are generally done to spoof people in to providing confidential information especially credit card numbers. There can be some legal obligations to correct corresponding issue as quickly as possible.  For a good legal reference on UCE in the United States (Federal and State), European Union, as well as many other countries check out www.spamlaws.com.

Reference Security CERT RFQ:
Exchange Server
In this section I will detail the process of configuring Microsoft’s Exchange Server as to
preventing it from being an open relay server.
Exchange Versions
With versions of Exchange Server below 5.0 it is impossible to configure the server to be a secured relay.  If your Exchange Server version is below version 5.0 the recommended
path is to upgrade to at least Exchange server 5.5 Service Pack 2 with the encapsulated
SMTP relay address patch.  If  you are running Exchange Server 5.0 you are able to stop
the open relay function but you have to disable POP3/IMAP.   This version of the software should also © SANS Institute 2003, Author retains full rights

Internet Mail Connector
The Internet Mail Connector (IMC) is the service that is installed to allow your Exchange
Server to act as an SMTP server.  By default this service is not installed during
installation, instead it is installed by running the Internet Mail Wizard after the exchange
installation is complete.  To run the Internet Mail Wizard go to  File ‡ New Other ‡
Internet Mail Service.  By default the wizard does not put any controls on who can use
your Exchange server as a relay.  After you have your Exchange server installed with the
default settings of Internet Mail Connector service your exchange server is vulnerable to
open relay.
Configuring Internet Mail Connector To Stop Open Relay

Since all the configuration changes happen in the IMS, the first step is locating the
properties for the service.  Open your Exchange Administrator program and connect to
the Exchange server that has the IMS service installed.  You will notice that the
Exchange Administrator is set up just like Windows Explorer with Containers on the left
hand side and objects on the right hand side. Once open find the Connections container
located under your \\configuration container in the left hand 
column.   Once highlighted you will notice connector objects on the left hand side, one
should be named Internet Mail Service ().  You can view the IMS 
properties by double clicking on it.  Once open you will see several tabs, locate the
Routing tab and click on it to view the routing properties.
The first thing you notice near the top of the properties sheet is the option of Do not
reroute incoming mail or Reroute incoming SMTP mail (required for POP3/IMAP4
support).  The obvious choice would seem to be the first, but, do not use it for your
system will not relay messages, but will receive them and then send a non-deliverable
message back to the return address of the message.  This is not good because first it put
undo burden on your email system by accepting potentially very large email messages
but could also be used as a reverse UCE attack with your system involved.  The best
selection here is the second selection.
Next you see a box titled Routing.  On the right hand side of the screen select the add
button.  In the ‘email sent to this domain’ enter your domain name.  Next select the
option ‘should be accepted as “inbound”’ indicating that these are the only domains that
the SMTP server will accept mail for.
After you have set all of the domains that your server will be accepting mail for click on
the ‘routing restrictions’ to open your ‘routing restrictions’ properties page.  The first
option is ‘Hosts and Clients that successfully authenticate’ which allows relaying of messages to only users that have accounts on your server or another way to validate who
the user is with the server.  The next option is ‘Host and Clients with these IP
addresses’.  With this option you can specify by IP address who is allowed to relay
through your system or what subnet is allowed to relay through your system.  For
example a single IP address would put in their address and the subnet mask of
255.255.255.255.  For a subnet you would specify the network portion of the IP address
and let 0 represent the client addresses with the subnet mask to match.  The next option is
‘Hosts and Clients connecting to these internal addresses’.  What this does is allows
relaying of clients who can access a specific interface on a multi-homed system.  Do not
check this unless you have reason to do so.  And the last option you have to prevent open
relaying through your Exchange server is ‘Specify the hosts and clients that can NEVER
route mail’.  This option is pretty self-explanatory and works by denying specific IP
address or subnets.
After all the changes have been made to secure your SMTP server you have to stop and
restart the Microsoft Exchange Internet Mail Service located in the services on the
control panel.
This concludes my paper on Open Relay and configuring Exchange server to not being an
open relay system.


References:
Edwards, Mark Joseph. “Who’s Using Your Mail Server?.”  31 Aug 2000
 http://www.windowsitsecurity.com/Articles/Print.cfm?ArticleID=15480  (10 Oct 2000)
Howard, Mark. “Coping with Unsolicited Email” 1 Oct 1999
URL:http//www.exchangeadmin.com/Articles/Print.cfm?ArticleID=6174 (10 Oct 2000)
Microsoft. “Inside Exchange Internet Mail Service” 2000
URL:http://www.microsoft.com/exchange/techinfo/InsideIMS.htm” (10 Oct 2000)
Minasi, Mark. “Untangling Email” 1 Apr 1998
URL:http://www.win2000mag.com/Articles/Print.cfm?ArticleID=3024 (10 Oct 2000).
Reavis, Jim. “Are you an accidental spammer?” 23 Aug 1999
URL:http://www.nwfusion.com/newsletters/sec/0823sec1.html?nf (10 Oct 2000)
Redmond, Tony. “Exchange 2000 and SMTP” 9 Feb 2000
URL:http://www.win2000mag.com/Articles/Print.cfm?ArticleID=8140 (10 Oct 2000)
Toombs, Douglas. “Junk Email – Protect your Exchange Server from Junk Email.” 1 Aug
2000 URL:http://www.winntmag.com/Articles/Print.cfm?ArticleID=3673 (10 Oct 2000)