Since I have been back from my Hols I have been further developing my work on Exchange 2007 (and filling out the mile of paper work required in my company to get it “officially” on the projects book) but in between I have been writing some small scripts, updating existing tools and taking in the sights of the Exchange forums.

I saw a post recently (although exactly where eludes me at the moment – so if you like / recognise this article pertaining to you – please comment) which asked about how you could track an internal SPAM attack.

I started to think about this, as I have also seen a number of questions about how you can minimise your risk of becoming an open relay and how you can trace or recognise when your Exchange server has been hijacked by all Exchange Admins natural enemy “the spammer”.

In this article I would like to go through SPAM, Open Relays, how you can be at risk both internally and externally, and what you can do about it.

Ok, firstly it is important to point out that and Open Relay and Spam attacks are different things, however, they can be related from the perspective that open relays can perpetuate spam.

• An SMTP open relay will accept connections from any host un-authenticated and route mail to a given destination, it will ask no questions – but perhaps it will tell lies! – Open relays can be used to bounce SPAM onto others, and they also allow for you to impersonate senders from practically any domain.
• SPAM (or UCE Unsolicited Commercial E-Mail) – although these days is doesn’t really need to be commercial (judging by the amounts of mail I get commenting in the size of my Penis) can generally be described as mail that you haven’t asked for, containing dubious content, that claims to be from a sender that probably never sent it (or indeed exists) in the first place.

Any combination of the above can be bad news for your Exchange environment, so the following are some thought that I have on how you can minimise your risk, spot when something is not right and what you can do about it. 

Initially I would like to have a look at some Exchange deployments that I have seen from the perspective of how Inbound Internet mail is configured – I have also listed them from the perspective of how resilient that have been to Open Relay and SPAM (please note, below is my opinion – it is based on what I have seen – some of you might have different ideas and I welcome any input that you may have):

High Cost – Highly Secure:

The example above utilises the services of a third part Viral / Spam provider (examples of whom are MessageLabs and E-Mail Systems) essentially these folks take control of the MX record for your domain and route all e-mail Inbound or outbound through a number of “Towers” – the towers will then screen each message for Viral infections, SPAM likelihood and Pornography if the message is deemed ok it is released and forwarded onto your SMTP Edge Relay.

I have found this solution to be highly effective when dealing with SPAM, and Viral threats and as you maintain a 1 – 1 relationship between your Relay and the Providers Relay you can on your Firewall create an access list that will only accept SMTP traffic from your provider – therefore you close down the risk of being an Open-Relay. Your provider in turn will also of configured their systems so they are not in the same position so from that perspective you get total peace of mind.

Coming back further into the diagram you will notice a dedicated Exchange Relay box (although this does not really need to be Exchange – it could be a Linux SMTP server or a server running a product like IMAIL – however for end to end consistency Exchange is better) the sole purpose of this box is to Relay mail in and out – here you can install programs such as GFI or Network Associates Group Shield which will further monitor the SMTP traffic routed in via the Inbound interface.

You also reduce you attack surface in this configuration as you do not have any mailboxes on the server – and should you become a target of a successful attack you can turn off SMTP flow on the relay so the traffic does not route to your database server, and as SMTP instance is separate to that of the Backend Database server internal traffic will still flow. You also have the option of using the Intelligent Message Filter on this server so mail is screened at the gateway this again reduced the performance footprint on your database server.

Advantages:

• 1 -1 relationship with an external provider therefore you do not need a many to one access-list on your Firewall for port 25 traffic – this prevents you from being an open relay, couple this will the Exchange Relay Server on your side where you can configure the default SMTP server to only accept connections from the 3^rd party means that from the perspective of being an open relay your are secure.
• SPAM and Viral threats are pre-scanned before arrival at your mail system
• Having a separate relay server allows you to further scan mail using additional solutions, and if the worst should happen, stop Inbound SMTP independently of your mailbox servers

Disadvantages:

• Cost – 3^rd party providers can be expensive to commission and generally charge per mailbox per service (for example Porn, Anti-Viral and Spam are separate services) – plus having an additional Exchange server will incur both hardware and licensing costs
• Additional levels of administration – you will have an additional Exchange server, plus the settings that your 3^rd party utilises to configure.

Medium Cost – Secure:

In the example above mail sent from a client is routed directly to the perimeter IP address of the firewall (which is denoted in the domain’s MX record) the Firewall will then pass this request through to an Internal ISA server which is configured as a Filtering SMTP relay (see here) the ISA server will inspect the message and if it is clean will be forwarded onto the Exchange server.

In this configuration I would expect that the Exchange server would be running a product like GFI or Network Associates GSE and the Intelligent Message filter would be turned on. If you were looking at this configuration, you could drop the Hardware based Firewall and just expose the ISA server to the web, however I would be more comfortable with using a dual tier system where you have to levels of stateful checking.

You would need to bear in mind that it is possible in this configuration for people to open Port25 sessions to your ISA server and send mail – however, if you have maintained the ISA servers configuration then that chances of major problems is reduced – but the key thing to remember that by routing all mail yourself you will require a Many – 1 relationship on the Hardware Firewall.

Advantages:

• Cheaper when compared to the first solution
• Common deployment scenario using standard technologies therefore very easy to get support on
• You have full control over message flow into your organisation
• When well managed pretty secure

Disadvantages:

• Requires additional understanding and licensing of another product (ISA Server)
• If not managed or configured properly could present a risk
• Requires frequent updates to be applied by you

Low Cost – Poor Security:

The example above represents perhaps the most insecure configuration that I have seen. Admittedly it was in a small business where investment was sparse, however it still represents what I would describe the most likely candidate to be used as an open relay and from what I have read a surprisingly common configuration.

The hardware utilised is a straight forward ADSI or Cable modem which allows for rudimentary NAT and port forwarding directly to the Exchange server. In order to combat the inadequacies of this configuration the Intelligent Message filter is resident on the Exchange server, as well as a product such as GFI or GSE however the importance of keeping these updated is paramount as well as ensuring that your Exchange configuration is optimally “Hardened” again inappropriate use (more on this later).

Advantages:

• Cheap and easy to setup
• Minimal administration

Disadvantages:

• Not secure
• Leaves your primary Exchange server open to attack

Ok from the examples above I admit that there are many, many variants of the three configurations which can vary from very secure to just wide open – however getting back to the original point of this post – how do you know, or indeed how can you work out if you are under attack and indeed where does the attack come from and most importantly what can you do to and in Exchange to minimise risk?

Internal Attacks:

A number of Exchange Admins may not have considered the prospect that their Exchange server might be potentially be a Open Relay (Internally) or indeed the possibility that they may be being used internally as a spam re-mailer – a lot of focus in this area is typically spent on the Inbound endpoint into your mail system (e.g. mail from the web).

A number of recent surveys within the IT industry have concluded that as well as social engineering attacks, the next single biggest threat to the security of a network is the employees that you currently allow access to your systems.

Think about it, in terms of your Exchange installation – how many steps have you taken against that one employee that is running their own business in office hours where they use your (or the companies) mail server as their primary contact point, or indeed worse - use the companies own Exchange SMTP virtual server as a relay for their own publicity or product?

Whilst we spend a lot of time securing our Internet boundary, how often do we consider internal security?

Internal Attack – Unlikely you say? – ok consider the following;

Generally speaking (not always) but generally – the natural assumption that a technical person makes is that all the people that they support are stupid – they would not understand one end of a mouse from the other – however, I have found that with the event of organisations giving employees increased access to the Internet as part of their day to day work and indeed the proliferation of IT within companies – coupling that with the expansion of Broadband access at home – it has become easier for the “lay person” to gain access to information that previously might have been considered beyond them – and believe me they are learning at a staggering rate.

Lets return for a minute to that person in your organisation that is running a business from within work – psychologically they are motivated, they wish to minimise their own expenditure on their product and they have their current jobs resources available to them. They have been listening to a couple of the IT guys talk about “Mass Mailing” – or indeed they open up Google and type in “Send lots of e-mails” (try it – type either phrase into Google) and before long you will arrive at a piece of software that does not require installation (therefore bypasses many admin restrictions) that can be placed on a local PC act as its own SMTP server – all it needs is access to a SMTP in your organisation – YOUR EXCHANGE SERVER!

Are you certain that you Internal Exchange servers are configured appropriately to combat this type of menace, or indeed will your server with stand the rigours of an External attack?

How do I know that I am being targeted?

There are a number things that you can look for to ascertain if you are being used as an open relay – or indeed being the focus of a spam attack, what I would like to do in this section is go through what you can do to potentially prevent such a situation and if required help troubleshoot SPAM and SMTP issues.

Firstly – Prevention – Run the Exchange Best Practices Analyser:

You will see this tool mentioned a lot in forums around the web, and indeed you may already know of the BPA.

You should run the BPA every two to three weeks or so against your Exchange servers (I say against you Exchange Servers – as I am a purest I never install anything on an Exchange that does not need to be there) – and I say about every two to three weeks as Microsoft is constantly updating the functionality of this tool with data from its PSS.

The BPA will immediately highlight any issues with your Exchange configuration.

Getting Started – BPA:

• Download the latest version of the Exchange BPA from here: http://technet.microsoft.com/en-gb/exchange/bb288481.aspx

Choose the latest version of the BPA from the link above and download it to the workstation (or indeed if you wish) the Exchange server.

Double Click the EXBPA.msi file and follow the wizard through to completion – at the end of the Wizard choose “Launch”

When the EXBPA has launched you will be presented with the following screen:

Click on the “Select options for a new scan” link and the screen will change to look like the following:

Here you have a couple of options on how to proceed:

• If you have installed the EXBPA on a local workstation in your domain then you will need to expand the “Hide advanced options” link and provide the credentials for a domain admin account and an account that has Exchange View Admin rights, and is also a local admin on the Exchange server – remember you might have to provide the name of a Domain Controller.
• If you have installed the BPA on the Exchange Server then there is a fair chance that you already have the correct rights – however be mindful of the above requirements

When you are ready – click on the “Connect to Active Directory server” link – the EXBPA will then go away and confirm that you have the correct rights.

When the permissions test has completed you will be presented with the following screen:

On the screen above type in a descriptive name for the scan on your Exchange Server – then ensure that the scope for you scan is set at least to your Exchange server (I prefer to select the Organisation and the Administrative Group) and ensure that the type of scan is set to “Health Check”.

Choose the rough speed of the connection that you have to you Exchange server (this normally is 100MBPS or more) and then click on the “Start Scanning” option.

You screen will change to look like the following during your scan:

When the scan has finished you will be presented with the following screen – click on the “View a report of this Best Practices scan”:

When you have clicked on the view report option you will be presented with the screen which looks like the following example, if you are lucky you should only get Warnings and Informational items – if you are really, really lucky then you should only get Information:

However if you are at risk the EXBPA will display a list of critical items that you must rectify straight away – in the example below my test Exchange server has failed the open relay test:

If you double click on the item(s) that is (are) marked critical you will be given a greater analysis of the problem, and you will also be guided to a link that can help you solve the problem for you Exchange server. In the case of an open relay the EXBPA will direct you the following link: http://technet.microsoft.com/en-gb/library/6d2c9c82-bcc2-4261-a30d-90536577c873.aspx

Next Post – Part 2

In Part 2 of this article I would like to continue with and cover the following;

• Further methods of Open Relay and SPAM prevention
• Troubleshooting SPAM

---

Add this page to your favorite Social Bookmarking websites