is the end of smtp-auth near?

When securing a mail server against relaying, a commonly used method to allow authorized users from outside the server's network to use it is SMTP-AUTH. This allows web hosts and ISPs to provide an SMTP server for their remote or travelling users to use and it is secured by username and password.
Lately, there have been reports of servers (especially Exchange) being used as relays even though they were secured. The compromise appears to be via weak passwords and the spammer is trying common default and/or simple username/password combinations to send mail as an authorized user.
Disabling default accounts should be part of any server hardening. But, what about end users with weak passwords? Many email servers don't have a facility to enable strong passwords and even those that do are typically disabled due to the support headaches it causes. Are we finally getting to where you will have to relay your mail through the ISP you connect through?
Oh, and does anyone still doubt spammers are criminals?

This entry was written by Chris Scott, posted on October 10, 2003 at 4:47 pm, filed under (In)Security, Spam. Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.

Post a Comment

Your email is never shared. Required fields are marked *

*
*