It is becoming increasingly common to see spam being relayed through servers that have all relaying options disabled. Why? Because your server thinks the spammers are authorized users. The spammers are authenticating; they are coming up with valid user names and passwords. Any server that has authentication (SMTP AUTH) enabled can potentially be compromised in this way.
How a Server can be Compromised
For example, by default, Microsoft Exchange 5.5, 2000, 2003 and the Exchange server with IIS/5 set up a guest account. This allows anyone to connect to and use the server. Even if you have set up require authentication (meaning the user must supply a username and password) the guest account will allow the user to send mail through the server even if their login fails. The most commonly exploited accounts are admin, administrator, guest, test, demo, and webmaster, although any account with a weak or missing password is vulnerable.
Spammers have bots that make repeated attempts to authenticate, using a set of default and easy-to-guess username/password combinations. The most common combinations are guest/guest, admin/admin, test/test and demo/demo, and there are sites that list many default username/password combinations, so it is not hard to build a list to try. Spammers also use software (spamware) that allows brute force username/password guessing. This heavy duty software cycles through many common usernames and passwords, hoping to hit a match that works. If they get one that works, they effectively have an open relay.
Some sample usernames and passwords that are known to be used by at least one spammer:
(Data acquired from ROKSO, the Register of Known Spam Organizations.)
How the Exploit Works
The spammer connects to the server and goes through the normal HELO/EHLO. After this, one of the options the server offers is 250-AUTH=LOGIN. The spammer responds AUTH LOGIN and the server prompts with VXNlcm5hbWU6, which is the Base64 encoded version of Username:. The spammer then replies with the Base64 encoded version of the username he wants to (try to) use to authenticate. The server answers with UGFzc3dvcmQ6, which is Password: (Base64 encoded), and the spammer responds with the Base64-encoded password. If the server replies with Authentication successful, then the spammer is validated as an authorized user and can issue rcpt to commands for wherever he wants.
Encoding to Base64 is left as an exercise to the reader.
How to Prevent Compromise
To protect your server, follow these steps:
Disable the guest account.
Remove or rename all default accounts or change the default passwords on any of these accounts that you keep.
Ensure that users select good passwords. In particular, ensure users do not use the same name or word for both the username and password, i.e., admin/admin. Make sure passwords such as password don't exist.
Review the list of the most common passwords at http://geodsoft.com/howto/password/common.htm. Set up a file that will not allow these passwords to be used or run a script that compares users' passwords to the list of common choices. Reset any that are easy to guess.
Check out Securityfocus.com to make sure you are not open to the Microsoft Exchange Server Buffer Overflow Vulnerability.
Ensure you are not a victim of the known null session exploit - see Bugtraq for details.
With all Microsoft Windows products, make sure you have installed all cumulated service patches and updates available on the Windows Update page.
Turn off authentication (SMTP AUTH) unless it is necessary that you have it enabled. Disabling SMTP AUTH will allow only mail sourced internal to your network to be sent (i.e., from authorized IP addresses). Microsoft Exchange 2000 and 2003 are being compromised often because these servers install a guest account and also default to SMTP AUTH enabled.
Microsoft provides good information on testing your server and logging events to find the account that is being compromised. (http://support.microsoft.com/default.aspx?scid=KB;EN-US;324958)