So I got a call from a client “we can't send email to company XYZ - the say we're sending SPAM or something, can you please find out what's going on?” (well, they didn't quite say it like that but I figured I should paraphrase a little for clarity).
OK - I knew they weren't an open relay but checked anyway (you know, telnet to port 25 and try to send mail through it hoping to get the “unable to relay for...” message. Whew - no fingers had been meddling.
They'd been listed with SpamCop as a source of SPAM so I kept digging. The anti-virus was up to date and functioning correctly so there was little chance of the server and PCs being infected (we check the network every week to make sure too). No flames please about bugs that bypass A/V too - I'm summarising here for the masses.
Looking in the Exchange mail queues I could see HEAPS of messages waiting for delivery to domains I just knew they didn't really want to be talking to, so figured there was something nasty going on. The SMTP virtual server settings were also correct in not allowing relaying through the server from any IPs which confirmed my “not an open relay” check. Ahhh - there's that checkbox a little lower down that allows authenticated users to relay through the server.
Knowing this client as I do, and their fear of passwords, I guessed an spammer had managed to guess a valid domain username and password and was using this authenticated account to relay mail through - slippery little suckers these guys are.
I removed the tick, cleared out the mail queues and voila - spam stopped. Now I just need to get them de-listed from the spammer list.
So, what's the moral here? First, it's not really the fault of the checkbox on the virtual server that caused them to become a source of spam - it's the users who don't want to use proper passwords (aka passphrases) to protect their login accounts and hence the network. Most mortals don't realise how easy it is to crack a users login through guesswork or even using a list of common passwords (see a page full of common passwords here).
Removing the check from the box solves the problem for the moment though, as we go through the process of educating the users about why they really need to use passphrases instead of just passwords which are far too easily cracked.
And “what's a passphrase?” I hear you ask? Instead of using a word for your “security” - like your dog's name, or your birthdate or similar, use a phrase that combines both upper & lower case letters, numbers and even punctuation, to make your login much more secure but still easy to remember. If your dog's name is Spike and you got him in 2001 then perhaps you could use something like “I got Spike in 2001 and hes really cool :)”. Simple to remember, very hard to guess and if someone happens to be “shoulder surfing” whilst you type it in (which I really don't like and is very bad etiquette) they'll find it difficult to follow and remember.
Simple isn't it. Don't wait until you get hacked to start practising safe logins - start today, right now in fact. It can be as easy as Ctrl-Alt-Del, Change Password and away you go. Go on, give it a go - you'll be glad you did.
If you can come up with a reason to not start employing the use of passphrases please let me know - I can't think of any!!