One of the Xtra users identified early this year in the net-abuse newsgroup as a channel for spam was Auckland-based steel and tube maker Faulkner Collins.
Accountant Carolyn Wright, who runs the company’s IT in cooperation with outside consultants, confirms the company had an open relay last year. This was closed by staff from Auckland’s Intersol, but mysteriously re-opened at the beginning of this year.
On the second occasion, the company got a call from Xtra, Wright says, and brought in Intersol to close the relay off again. Neither Wright nor the individual consultant who handled the job, Jason Beale, can account for the reopening of the relay. “I suppose they [spammers] found a different way of attacking it,” says Beale’s colleague Wayne Clifford.
The two suggest that perhaps CodeRed or a similar infection “opened a back door” though Faulkner Collins runs virus checkers regularly, or, alternatively, that the server was somehow reset to permit relay again as a side-effect of the application of a service pack to Microsoft Exchange.
The version of Exchange that Faulkner Collins uses is not the more secure 5.5, says Clifford, and they should upgrade to that version, which has “more powerful antispam tools”. The latest version, Exchange 2000 is claimed to be a further improvement on 5.5 on the security front.
Microsoft NZ Windows platform product manager Jay Templeton says the antispam relay feature was introduced in Exchange 5.5 service pack 1.
There is a workaround to enable Exchange 5.0 users to protect themselves, he adds. This is described in the Microsoft bulletin “How to Stop Spam Mail Messages from Using IMS Relay Agent (Q199656)”, which is available here.
The application of the service pack would “not usually” result in the reopening of a relay, says Templeton. Occurrences like this are “usually the result of a process issue”, he says and there is an audit feature that will enable Faulkner Collins to track if this was the case.