SEMblog

Over the weekend one of my clients suffered an authenticated user attack on the SMTP interface of the Exchange 2003 server. This was detected by the monitoring tool I use, HoundDog (http://www.hounddogiseasy.com/referrer.html?code=YNPX) .

The attack was unsuccessful, as I have all of the authentication options disabled.

However what was interesting was the list of usernames that were tried. Some of them are to be expected, but others maybe not so. I have included the list at the end of this posting.

What this list tells you is the usernames that should be avoided, as some of them may well be used as test accounts, with basic or no passwords and therefore may well be easily compromised.
As authenticated user relaying is enabled by default on Exchange 2000 and 2003, if an account can be compromised, even with limited privileges, it can be used to relay spam through your server.

If you do not have anyone using POP3/IMAP accounts on your Exchange server, then authenticated relaying should be disabled completely. It is not required for the correct operation of Exchange with MAPI, Outlook RPC over HTTPS, Outlook Web Access and Windows Mobile or Blackberry use.
If you do have POP3/IMAP users then lock down the authenticated relay to those specific users only. I have added a link to my article on amset.info with instructions on how to do that below.

If you are a victim of an authenticated user attack then remember that most of them are not against you or your company directly, but a spammer wanting to use your bandwidth to send their messages, whether this is to sell something or a phishing attack.

Related Articles
Securing the authenticated relaying: http://www.amset.info/exchange/smtp-relaysecure.asp
Spam Cleanup: http://www.amset.info/exchange/spam-cleanup.asp

List of Usernames Targeted During Authenticated User Attack

webmaster
service
web
info
root
backup
tech
test
Administrateur
administrator
admin
tunnel
nagios
visitor
access
account
data
server
user

This is for reference really.
The events below are the sequence for a successful Backup of an Exchange database on Exchange 2007. It should apply no matter what backup application you are using, as long as it is Exchange aware.

When the jobs starts, this is logged:

 Event Type:      Information
 Event Source:      ESE
 Event Category:      Logging/Recovery
 Event ID:      210
 Date:            17/04/2009
 Time:            05:13:25
 User:            N/A
 Computer:      SERVER3
 Description:
 MSExchangeIS (3680) First Storage Group: A full backup is starting.

Immediately telling you which database is going to be backed up (you would see one for each database).

 Event Type:      Information
 Event Source:      ESE
 Event Category:      Logging/Recovery
 Event ID:      220
 Date:            17/04/2009
 Time:            05:13:25
 User:            N/A
 Computer:      SERVER3
 Description:
 MSExchangeIS (3680) First Storage Group: Beginning the backup of the file E:\Exchange Databases\First Storage Group\Mailbox Database.edb (size 3206 Mb).

When the backup is complete you get this reference:

 Event Type:      Information
 Event Source:      ESE
 Event Category:      Logging/Recovery
 Event ID:      221
 Date:            17/04/2009
 Time:            05:15:18
 User:            N/A
 Computer:      SERVER3
 Description:
 MSExchangeIS (3680) First Storage Group: Ending the backup of the file E:\Exchange Databases\First Storage Group\Mailbox Database.edb.

With the database backed up, the logs begin. The Exchange backup will include the logs that were generated while the backup was running. This store is quite small, so only a few log files are required:

 Event Type:      Information
 Event Source:      ESE
 Event Category:      Logging/Recovery
 Event ID:      223
 Date:            17/04/2009
 Time:            05:15:18
 User:            N/A
 Computer:      SERVER3
 Description:
 MSExchangeIS (3680) First Storage Group: Starting the backup of log files (range D:\Exchange Transaction Logs\First Storage Group\E0000005127.log - D:\Exchange Transaction Logs\First Storage Group\E0000005136.log). 

If the Backup was successful, then the complete message is logged:

 Event Type:      Information
 Event Source:      ESE
 Event Category:      Logging/Recovery
 Event ID:      213
 Date:            17/04/2009
 Time:            05:15:56
 User:            N/A
 Computer:      SERVER3
 Description:
 MSExchangeIS (3680) First Storage Group: The backup procedure has been successfully completed.

Finally, the committed transaction logs are flushed. You will notice that the last log being flushed is the one immediately before the log backed up earlier in the sequence.

 Event Type:      Information
 Event Source:      ESE BACKUP
 Event Category:      General
 Event ID:      916
 Date:            17/04/2009
 Time:            05:18:16
 User:            N/A
 Computer:      SERVER3
 Description:

Information Store (3680) Deleting log files D:\Exchange Transaction Logs\First Storage Group\E00000050E1.log to D:\Exchange Transaction Logs\First Storage Group\E0000005126.log.

The backup is successfully completed.

As you may be aware, my consultancy company is Amset IT Solutions Ltd. If you hire me, then this who you pay your bills to. As from 1st April 2009, that company name is no more. I changed it to Sembee Ltd.

There are a number of reasons why I changed it, the main one being to more closely link the company to me in an attempt to increase business. I also wanted a shorter more general name for business purposes.

It will take some time for the change to be reflected in everything I do, for example the branding on amset.info is still amset, but sembee.info points to the same place.

That was also the reason why the blog URL changed to blog.sembee.co.uk, as I wanted to use www.sembee.co.uk for the company address.

Otherwise everything else remains the same.

Blackberry - not a subject I usually touch on, but as I am using a BES variant with my Exchange system I thought I would post this little snippet.

Recently exchanged by very old 7230 Blackberry for a new Curve 8310. I found that my previously published applications of Google Maps and Google search were not appearing on the device.

A look through the event long on the server gave me this error:

Event Type: Warning
Event Source: BlackBerry Policy Service
Event Category: None
Event ID: 20000
Date:  29/03/2009
Time:  21:15:32
User:  N/A
Computer: BES-SERVER
Description:
Device info for hardwareID 0x8d000f03 could not be found.

No idea what that meant, and I couldn't find anything clear on Google either.
However looking through older posts on some forums from when the 8700 series was released, I was pointed to a file called device.xml, which can be found in this location: "C:\Program Files\Common Files\Research In Motion\AppLoader"

Apparently if your device doesn't appear in the list, then you will get the above error.

I am using Blackberry Professional Edition, which is currently on 4.1.4, whereas the current version of Blackberry Enterprise Server is 4.1.6 (or very close, at the time of writing). The device.xml file was quite out of date and the ID number in the error message did not appear in the file. I needed to update the file!

You can get an updated device.xml by installing the latest Desktop Software from Blackberry somewhere. (4.7 at the time of writing) I have seen references to the desktop software being installed on the server, but I already had it on my laptop for playing around with the device. It will be found in the same location on both the server and the workstation. I went from a file that was only 8kb in size to a 16kb file.

I simply copied the file from my laptop in to the same location on my Blackberry server re-ran the "loader /index" command and then restarted the Blackberry Policy service. The application pushed out to the device shortly afterwards.

This is a posting for anyone reading this blog using a feed reader.  

I am going to be making some changes to the blog in the next couple of weeks, and this could affect the RSS feed.

If your feed address is "feeds.sembee.co.uk/sembee" then you can stop reading now and go somewhere else, as that feed will not be affected.  

If you are using a feed that starts with the address of www.sembee.co.uk then you will need to change it to the Feedburner feed to ensure that you continue to receive the feed from this blog: http://feeds.sembee.co.uk/sembee