A Windows 2000/Exchange 2000 server is set to send all mail that it can't resolve from it's own address books to a "smart hub". This worked fine till http://www.microsoft.com/technet/security/bulletin/MS02-025.asp was installed, then failed. Mail sent outside our organisation still goes, but mail sent to addresses in our local domain are rejected. They should be sent to the hub, because there are other mail users in the domain who do not use Exchange. It worked until MS02_025 was installed, then failed, then stared working again when the patch was backed out. An non-deliverable report (NDR) was returned to the originator with code 5.1.1 According to http://support.microsoft.com/default.aspx?scid=kb;EN-US;q284204 5.1.1 can mean either "The e-mail account does not exist at the organization this message was sent to" *or* "Also, if you configured your SMTP contact with invalid SMTP RFC821 chars, the categorizer will reject the delivery with this diagnostic code." It seems that the categorizer is rejecting messages. MS02-025 says "The patch eliminates the vulnerability by ensuring that the Exchange 2000 Store immediately rejects messages with malformed attributes." On the face of it it seems that Exchange 2000 may now be rejecting valid messages originating from users at that Exchange server. It does not say which malformed attributes are being rejected, nor what message is sent back to the originator of the message, nor what, if any, notification is made to the administrators of the server. (If it is in fact the case that the originator gets and NDR but there is no explicit notification to the admins then that itself is a security flaw if the message is correctly rejected because it tells the attacker what level of security is in place but does not alert the defenders) Ken Brown Birkbeck College London University
