Friday, July 01, 2011

One Spam To Spam Them All!

This is a plain boring blog post. In fact, it's a blog post that in a perfect world would be completely unnecessary to write. In my world, this blog post is necessary in order to make Microsoft Exchange admins, as well as mailgateway/antispam operators and operations security people aware of a very simple, but highly important configuration issue in Microsoft Exchange.
I'll make this short:

A Distribution list in Microsoft Exchange is a group of users that will receive all e-mail sent to that list. In the screenshot below I've highlighted a distribution list, and added that list to the recipient list:


By double-clicking on the list, you get to see the properties of the lise, including its owner, and members of the list:


Moving on to the E-mail Addresses tab, you get to see any and all SMTP addresses that has been automatically created for that distribution list upon creation (sorry about all the blurring here, but you do understand why, right?)


Now for the "fun" part of this:
As far as I know, such lists will by default not be "protected" by default. Effectively that means a single e-mail from the Internet to this SMTP address will distribute to all members of the list. Suddenly having the all at yourdomain.com available for the CEO and the internal Pravda (info) department for internal announcements didn't seem like a good idea after all.

Spam mail is filtered in many ways, such as looking for mail of equal size and contents, sent to a large number of e-mail adresses within a certain (short) time frame. As we've read about lately about APT attacks, targeted  e-mail with malicious attachments have been sent to specific individuals and/or small groups of people.

A single malicious e-mail sent to such a distribution list could very likely bypass several levels of antispam/antivirus controls, while reaching potentially every employees mailbox through Exchange and Outlook. You don't want that to happen.

So before going on vacation for the summer, please ask your Exchange admins if they have read, understood and implemented the default setting of "From authenticated users only" for all existing and new distribution lists (MSKB827616). This will effectively block such an attack. (And as I've experienced first-hand many times if you don't block it; a lot of people calling you, asking W%&T¤%&#F?!?!?! ARE YOU DOING?)

This is a quickwin. The only little problem; some distribution lists, perhaps like info at yourdomain.com, are actually there to receive e-mail from unauthenticated users on the Internet. Take that into account before you set some poor Exchange admin into clicking his way through a few thousand distribution lists. :-)