[Mimedefang] OWA spam scripting attack
Jeff Rife
mimedefang at nabs.net
Thu Oct 23 09:36:07 EDT 2008
On 23 Oct 2008 at 8:57, Todd Aiken wrote:
> Regardless of having told
> our users numerous times that we will never do this, and to ignore these
> types of requests, some fool usually goes ahead and sends the spammer their
> credentials. This ends up in the spammer taking those credentials and using
> some sort of script to send out their spam from our Exchange 2003 OWA
> webmail system until we change the user's password.
>
> Just wondering if anybody has any ideas at how to stop this from happening?
> Unfortunately, our site policy prevents me from deleting any incoming
> messages, regardless of how highly they are rated by MIMEDefang/SpamAssassin
> as being spam... I am only allowed to flag them as such and then it's up to
> the individual user to filter based on that flag; otherwise, I would delete
> these stupid phishing messages before they got to our Exchange server. And
> I do not parse outgoing messages from our Exchange server to the outside
> world with MIMEDefang because there was never any need before now. Is there
> something I can do on Exchange to prevent these OWA scripting attacks
> (besides dump Exchange, if only I could...)?
Exchange should *never* speak directly to the outside world when
sending mail...it has too much of Microsoft's "interpretation" of SMTP.
So, if it has to relay through something else, that might as well be
the box running MD (unless the load is too high, in which case build
another box).
After that, there are many options to block the *outgoing* security
risks.
But, if you can't delete, can't educate, and can't scan outgoing, then
my only suggestion is that if you can identify these phishing e-mails,
modify the headers so that any replies go to some proxy holding system
that allows you to examine them before they are allowed to truly be
sent. Armed with enough e-mails in that quarantine that show how large
a security hole this is, perhaps you could persuade management to allow
you to delete the incoming messages.
--
Jeff Rife | "There was a guy that was killed just like this
| over in Jersey."
| "Yeah, but I figure, 'What the hell,
| that's Jersey.'"
| -- "Highlander"
More information about the MIMEDefang
mailing list