Exchange & Outlook UPDATE, Exchange Edition, October 09, 2003

1. Commentary

- A New Kind of Attack

2. Announcements

- Attend Exchange Connections, Win a Free Vacation

- Sign Up for Free Replication E-Seminar!

3. Resources

- Script the Creation of Mail-Enabled Users

- Featured Thread: Rebuilding Exchange 2000

- Outlook Tip: Resolving Contact Names to Addresses in OWA

4. Events

- The Mobile & Wireless Road Show Is Coming to Tampa and Atlanta!

5. New and Improved

- Integrate Email Messages and Other Information

- Tell Us About a Hot Product and Get a T-Shirt!

6. Contact Us

- See this section for a list of ways to contact us.

~~~~ Sponsor: Esker Software ~~~~

One solution seamlessly integrates fax with Exchange and standardizes desktop fax across the enterprise. Esker Fax enables high-performance desktop fax for local and remote users throughout your organization, with clustered and load-balanced implementation support for maximum availability and scalability, least cost routing to cut fax transmission costs, advanced inbound routing technology to speed document delivery and protect sensitive content, centralized management of enterprise fax delivery traffic, and more. Bred in the world of high-volume fax, Esker Fax also automates high-volume production faxing from host-based enterprise applications - without requiring application programming changes. Get your FREE Esker Fax information kit:

http://www.esker.com/exchange103

==== 1. Commentary: A New Kind of Attack ====

by Paul Robichaux, News Editor, [email protected]

A worrisome new kind of attack is making the rounds on the Internet. This new threat isn't a worm like SoBig or Slammer, and it isn't a virus like Swen--it's an insidious spam attack that victimizes innocent Exchange Server systems. And this attack is succeeding far more often than it should.

Spammers are scanning the Internet looking for SMTP servers. These spammers use retrieved banner information to identify Exchange servers, then use the SMTP service to mount brute-force password-guessing attacks against well-known accounts on those servers. That's right: Instead of attacking the increasingly well-defended Windows remote procedure call (RPC) services that most organizations use for logon authentication, this attack sends a barrage of SMTP AUTH LOGON commands until one succeeds.

"But wait a minute," you say. "Exchange Server 2003 and Exchange 2000 Server have relaying turned off by default!" Yes, they do--for unauthenticated users. But if a spammer manages to snag an authenticated user's credentials, the spammer can authenticate to your server and use it to blast out millions of spam messages. As a consequence, your server (and possibly your entire IP block) will likely end up on a variety of blacklists--and you'll probably receive a flood of angry messages from irate spam recipients. To make matters worse, all this activity probably will fill your queues and transaction logs, slowing your server's performance.

This attack's dastardly nature is worsened by the fact that the attack is mostly invisible unless you've turned on auditing for account-access events. The SMTP log that the Microsoft IIS SMTP component maintains doesn't record the use of SMTP AUTH, so you can't look for a sudden spike in the number of AUTH requests to indicate that you're under attack. Your first warning sign might be that your server starts getting waves of spam-generated nondelivery reports (NDRs). Fortunately, protecting your servers against this attack is a simple process.

First, make sure that your administrator accounts have strong, complex passwords with more than 15 characters that are a mix of letters, numbers, and symbols. (When a password has 16 or more characters, Windows can't locally store the password's easily-cracked LM hash.) Other user accounts also should have complex passwords, but protecting your privileged accounts against brute-force password guessing is especially important.

Second, if you don't allow relaying, consider turning it off completely on all external-facing servers. If you do allow relaying, I suggest you reconsider your decision. For example, if you allow relaying to support external POP users, consider whether you could accomplish this task another way (e.g., by using the users' ISPs).

Third, consider disabling both basic and Windows integrated authentication on any SMTP virtual server that faces the Internet. Doing so prevents password-guessing attacks, but it also prevents users from authenticating before sending email. If you must leave this feature enabled, make sure that you also enable account-object auditing and regularly monitor the Windows event logs for long series of event ID 528, which failed logon attempts generate.

Fourth, if you use an Intrusion Detection System (IDS), configure it to watch for failed SMTP authentication requests (i.e., tell it to look for the text "535 5.7.3 Authentication unsuccessful" at offset 54 in packets on TCP port 25). This warning will alert you to an attempted attack.

Microsoft knows about this type of attack and will probably take measures to protect against it at some point. Until then, keep a careful eye on your servers to make sure they aren't being attacked. (And thanks to Andy Webb, who first brought this subject to my attention.)

~~~~ Sponsor: Good Technology ~~~~

The first converged wireless device for the enterprise. Email. Data. Voice. Web. FREE Webinar.

GoodLink(tm) on the NEW Treo 600. Wireless access to Microsoft Outlook and corporate data, with integrated voice and Web functionality on one device. Based on industry-standards and with Triple DES security, GoodLink's cradle-free, real-time synchronization with Microsoft Exchange, eliminates desktop software which centralizes fleet management and lowers deployment and support costs.

http://altfarm.mediaplex.com/ad/ck/3450-16437-3892-1

==== 2. Announcements ====

(from Windows & .NET Magazine and its partners)

Attend Exchange Connections, Win a Free Vacation

Learn the latest tech tips and tricks from gurus like Tony Redmond, Sue Mosher, Paul Robichaux, and the Microsoft Exchange Team. Receive access to concurrently running Windows & .NET Magazine Connections, plus you'll have a chance to win a 5-day Las Vegas vacation with airfare for two. Register now online, or call 800-505-1201 or 203-268-3204.

http://www.winconnections.com/exc

Sign Up for Free Replication E-Seminar!

Learn how to solve your data integration and replication headaches with Vision Solutions' real-time replication solution. This free E-Seminar, brought to you by SQL Server Magazine, will be held on October 16, from 1-2pm EST. Register today for a chance to win a TiVo Digital Video Recorder! Click here now:

http://ssmu.webex.com/ssmu/onstage/mainframe.php?rnd8390=0.6260014153791399

~~~~ Hot Release: EIQ Networks ~~~~

LOWER YOUR EXCHANGE 2000 & 2003 MIGRATION COSTS Understand your Exchange environment and prioritize migration. Find server utilization, mail box growth trends, PF/DL activity, mail abusers, & Un-used mail boxes. Use ROI calculator to measure migration cost savings. Download a FREE TRIAL & Whitepaper TODAY!

http://www.eiqnetworks.com/Winnetmag_MA_Oct_2003.shtml

==== 3. Resources ====

Script the Creation of Mail-Enabled Users

Using a script to create mail-enabled users is easy after you know exactly which Active Directory (AD) attributes to put into place. The Microsoft article "HOWTO: Create a Mail-Enabled User with CDOEXM in Visual C++" discusses the process.

http://support.microsoft.com/?kbid=293339

Featured Thread: Rebuilding Exchange 2000

A forum reader has a virtual-memory problem with an Exchange 2000 Server system and wonders whether a rebuild is the only answer. To offer your advice or join the discussion, go to the following URL:

http://www.winnetmag.com/forums/rd.cfm?cid=40&tid=63853

Outlook Tip: Resolving Contact Names to Addresses in OWA by Sue Mosher, [email protected]

Q: I created a public folder to hold contacts, then used Outlook Web Access (OWA) to create contacts in that folder. But when I create a message in OWA and put the name of a contact from my public folder into the To box, OWA won't resolve the name. How can I get OWA to resolve the name?

A: When you use the desktop Outlook client, you can select the "Show this folder as an e-mail Address Book" check box on the Outlook Address Book tab of the folder's Properties dialog box to tell Outlook that you want to use a certain Contacts folder for address resolution. OWA, however, doesn't let you designate a folder for resolving addresses. OWA uses only the Global Address List (GAL) and your mailbox Contacts folder to resolve names.

To use a public-folder contact to address a message, you need to paste that address from the contact into the message's To box. The same is true for a contact in any contacts folder other than the default Contacts folder.

See the Exchange & Outlook Administrator Web site for more great tips from Sue Mosher.

http://www.exchangeadmin.com

==== 4. Events ==== (brought to you by Windows & .NET Magazine)

The Mobile & Wireless Road Show Is Coming to Tampa and Atlanta!

Learn more about the wireless and mobility solutions that are available today, plus discover how going wireless can offer low risk, proven performance, and compatibility with existing and emerging industry standards. Register now for this free, 12-city event! http://www.winnetmag.com/roadshows/wireless

==== 5. New and Improved ==== by Carolyn Mader, [email protected]

Integrate Email Messages and Other Information

Back Office Solutions announced Harvest Desktop 2.2, a file- and desktop-management tool that lets users seamlessly integrate Web pages, documents, Outlook email messages, folders, and other information. Using Harvest Desktop, users can relate any piece of information with another without making duplicate copies of the information. Harvest Desktop also automatically looks for changes to Web pages and documents. Pricing starts at $199 for as many as five licenses. Contact Back Office Solutions at [email protected].

http://www.harvest-desktop.com

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected].

==== Sponsored Links ====

CrossTec

Free Download - NEW NetOp 7.6 - faster, more secure, remote support

http://ad.doubleclick.net/clk;5930423;8214395;j?http://www.crossteccorp.com/tryit/w2k.html

Microsoft

Attend a Microsoft(R) Office System Launch Event -- Get a FREE Eval Kit

http://ad.doubleclick.net/clk;6233617;8214395;l?http://click.atdmt.com/DDB/go/msg02800036ddb/direct/01/

==== 6. Contact Us ====

About the newsletter -- [email protected]

About technical questions -- http://www.winnetmag.com/forums

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring UPDATE -- [email protected]