[Mimedefang] OWA spam scripting attack

Jeff Rife mimedefang at nabs.net
Thu Oct 23 09:36:07 EDT 2008 

On 23 Oct 2008 at 8:57, Todd Aiken wrote:

>                                                  Regardless of having told
> our users numerous times that we will never do this, and to ignore these
> types of requests, some fool usually goes ahead and sends the spammer their
> credentials.  This ends up in the spammer taking those credentials and using
> some sort of script to send out their spam from our Exchange 2003 OWA
> webmail system until we change the user's password.
> 
> Just wondering if anybody has any ideas at how to stop this from happening?
> Unfortunately, our site policy prevents me from deleting any incoming
> messages, regardless of how highly they are rated by MIMEDefang/SpamAssassin
> as being spam... I am only allowed to flag them as such and then it's up to
> the individual user to filter based on that flag; otherwise, I would delete
> these stupid phishing messages before they got to our Exchange server.  And
> I do not parse outgoing messages from our Exchange server to the outside
> world with MIMEDefang because there was never any need before now.  Is there
> something I can do on Exchange to prevent these OWA scripting attacks
> (besides dump Exchange, if only I could...)?

Exchange should *never* speak directly to the outside world when 
sending mail...it has too much of Microsoft's "interpretation" of SMTP. 
So, if it has to relay through something else, that might as well be 
the box running MD (unless the load is too high, in which case build 
another box).

After that, there are many options to block the *outgoing* security 
risks.

But, if you can't delete, can't educate, and can't scan outgoing, then 
my only suggestion is that if you can identify these phishing e-mails, 
modify the headers so that any replies go to some proxy holding system 
that allows you to examine them before they are allowed to truly be 
sent.  Armed with enough e-mails in that quarantine that show how large 
a security hole this is, perhaps you could persuade management to allow 
you to delete the incoming messages.


--
Jeff Rife | "There was a guy that was killed just like this 
          |  over in Jersey." 
          | "Yeah, but I figure, 'What the hell, 
          |  that's Jersey.'" 
          |         -- "Highlander"

More information about the MIMEDefang mailing list