How might a spammer obtain multiple internal addresses?

Discussion in 'Windows Small Business Server' started by Phil, Nov 17, 2004.

  1. Phil

    Phil Guest

    My boss recently got some spam that made it through our Trend C/S/M spam
    filter. This in and of itself is not all that alarming, but in the TO:
    field was the address of one of our employees, my boss and 3 other employess
    and 2 email aliases of other employees were CC'd on this message as well.
    He was worried that somehow some of our email addresses were leaked. I'm
    guessing that 1 of 2 things happened to cause this.

    1) Someone that has all of these addresses external to our company was
    hacked or infected by someone that obtained these addresses.
    OR
    2) An email was intercepted at some point in its journey either from or to
    our server and these addresses were obtained that way.

    The flaw in my theory is that the 2 aliases are not something that we email
    from or would give out to anyone we consistently email. These are addresses
    that we use when placing "help wanted" type ads. So I'm looking for any
    input someone might have out there. I know we're not an open relay or
    anything.

    Thanks in advance,
    Phil
     
    Phil, Nov 17, 2004
    #1
    1. Advertisements

  2. Phil

    Allen M Guest

    Obtaining internal email addresses is not too hard these days. Many spammers
    can get them from places such as public newsgroups like this or from your
    number 2 guess. They can also get it direct from within your company in a
    very innoncent way. Soemone can get an email asking them who do I need to
    talk to about such and such and the person replies"Send an email to
    ,. He's the huy to talk to." As far as email alias's that too
    is pretty easy in it itself. If you have a public webpage then email alias's
    are common there. Such as , ,
    , . It's an easy guessing game.
    You get the picture.
     
    Allen M, Nov 17, 2004
    #2
    1. Advertisements

  3. Do you have recipient filtering enabled on your SBS/Exchange 2003 server?

    A side effect of this feature is that a malicious sender or a sender of
    unsolicited commercial e-mail can enumerate e-mail addresses that do exist
    by using a technique that is known as a <directory harvest attack>.

    For additional information about the recipient filtering feature, view the
    following article in the Microsoft Knowledge Base:

    823866 How to configure connection filtering to use Real-time Block Lists
    (RBLs)
    http://support.microsoft.com/?id=823866

    For more information on a security update that you can install to help
    prevent the enumeration of e-mail addresses in your Microsoft Exchange
    organization, view the following article in the Microsoft Knowledge Base:

    842851 A security update is available to help prevent the enumeration of
    http://support.microsoft.com/?id=842851

    Chris Puckett, MCSE
    Microsoft Small Business Server Support


    This posting is provided "AS IS" with no warranties, and confers no rights.
    --------------------
     
    Chris Puckett [MSFT], Nov 17, 2004
    #3
  4. Phil

    Phil Guest

    Chris,

    By setting up the connection filtering to use RBLs, will this potentially
    block legitimate emails from reaching the server?

    Phil
     
    Phil, Nov 17, 2004
    #4
  5. Phil

    Phil Guest

    Also, what RBL service can I use? Or where can I find a list of them?

    Thanks again,
    Phil
     
    Phil, Nov 17, 2004
    #5
  6. Yes, using an RBL can potentially block legitimate email if the sender's
    server happens to get on an RBL that you subscribe to. For example, some
    RBL's automatically include any servers that have a dynamic IP address.
    So I could not send you email from my test SBS 2003 server at home (which
    has a dynamic IP) unless I configured it to use a smarthost that was not on
    an RBL and (the smarthost) allowed me to relay through them.

    Here's a list of some RBL's (some charge and some do not depending on the
    amount of traffic):

    - http://www.spamcop.net
    - http://www.spamhaus.org
    - http://www.dnsstuff.com
    - http://www.openrbl.org
    - http://www.dsbl.org
    - http://www.mail-abuse.com
    - http://postmaster.info.aol.com/
    - http://ordb.org
    - http://www.moensted.dk/spam/

    BTW, the main thing I wanted you to get out of 823866 is where to find the
    checkboxes for Recipient Filtering to see if it was enabled. Recipient
    Filtering and Real-time Block Lists are two different things you can use to
    limit the amount of spam your server receives. With Recipient Filtering
    enabled, you could be susceptible to a directory harvest attack and that
    might help explain how someone got those addresses you were asking about.

    823866 How to configure connection filtering to use Real-time Block Lists
    (RBLs)
    http://support.microsoft.com/?id=823866

    Chris Puckett, MCSE
    Microsoft Small Business Server Support


    This posting is provided "AS IS" with no warranties, and confers no rights.
    --------------------
     
    Chris Puckett [MSFT], Nov 17, 2004
    #6
  7. Phil

    Andrew H Guest

    Chris, do you have any recommendations for the Tarpit setting mentioned in
    842851? The article tells where in the registry to set the value, but
    doesn't suggest whether a suitable value is a few seconds, or hundreds or
    thousands of seconds.
     
    Andrew H, Nov 18, 2004
    #7
  8. It's completely arbitrary. I would probably start with 24 hours (86,400
    seconds) and go up from there.

    With this setting, if someone were trying a directory harvest attack, they
    would have to wait 24 hours before finding out if the address existed or
    not.

    Chris Puckett, MCSE
    Microsoft Small Business Server Support


    This posting is provided "AS IS" with no warranties, and confers no rights.
    --------------------
     
    Chris Puckett [MSFT], Nov 18, 2004
    #8
  9. I just heard back from the author of the 842851 article and he suggested a
    value of 5 seconds.

    Chris Puckett, MCSE
    Microsoft Small Business Server Support


    This posting is provided "AS IS" with no warranties, and confers no rights.
    --------------------
     
    Chris Puckett [MSFT], Nov 18, 2004
    #9
  10. Phil

    Andrew H Guest

    Wow, that's quite a variance - 5 seconds to 86,400 seconds! But from the
    point of view of making life difficult for the spammers, does the author
    reckon 5 seconds achieves that result?
     
    Andrew H, Nov 19, 2004
    #10
  11. Yes he did.

    Chris Puckett, MCSE
    Microsoft Small Business Server Support


    This posting is provided "AS IS" with no warranties, and confers no rights.
    --------------------
     
    Chris Puckett [MSFT], Nov 19, 2004
    #11
  12. Hi!

    Chris Puckett [MSFT] wrote

    Chris, if you can reach an author of that KB article, could you please
    tell him that it is plain wrong as of today? It looks like it was
    changed recently to advise to install MS04-035 (KB885881) fix to add
    this feature: "To add the tar pit feature to Exchange 2003, install the
    MS04-035 security update for Windows Server 2003."

    Unfortunately, this hotfix will NOT install QFE dll with this feature
    implemented - it will only install GDR version (without tar pit) if you
    have not had the original fix installed.

    To others: To add tar pit to exchange, you have two ways (until correct
    fix is available from MS):
    1. Call MS, get original KB842851 fix (the correct updated dll from
    MS04-035 will be used)
    2. Install QFE dll yourself (it is included in MS04-035) - but that's
    not supported by MS, you know...

    As for a value of TarpitTime - I'd suggest about 30 - 60 seconds.
    The usual timeout for SMTP session is 10 min (this is at least default
    for MS SMTP), so the way Tar Pit feature is implemented by this hotfix
    it shouldn't be a problem of waiting a minute before giving a reply
    (550 5.1.1 User unknown) to RCPT TO command with the email not found in AD.

    Thanks,
    Dmitry
     
    Dmitry Gromov, Nov 20, 2004
    #12
  13. Appreciate the notification on this.

    I will pass it along to the appropriate group.

    Chris Puckett, MCSE
    Microsoft Small Business Server Support


    This posting is provided "AS IS" with no warranties, and confers no rights.
    --------------------
     
    Chris Puckett [MSFT], Nov 22, 2004
    #13
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.