Beep boop - this is a robot. A new show has been posted to TWiT…
What are your thoughts about today’s show? We’d love to hear from you!
Thanks for the heads-up on the Exchange “blackmail”. That will cause some fun!
Exchange runs best under the motto “never change a running system”, often patching Exchange has caused more problems that leaving it unpatched and hoping that you don’t get hacked. Corrupt databases, multiple rollbacks or borked systems are were not uncommon in the past, so admins pushed out updates as far as they could, so the business could continue uninterrupted.
From the show notes, regarding Microsoft blocking old unpatched exchange servers.
I cannot think of a precedent for this in our industry
These might not be perfect examples, but this reminds me of how browsers and web servers block old versions of TLS to keep the user more secure. If you use a device with an old browser, you can’t connect to most websites with modern versions of TLS.
Also, Google disallows signing in from very old versions of Android, where you might also argue “I paid for the phone and now I can’t use it”.
https://support.google.com/android/thread/118703101/sign-in-on-android-devices-running-android-2-3-7-or-lower-will-not-be-allowed-starting-september-27?hl=en
Old versions of iOS too, as I found out recently setting up an iPad 2 for someone.
I remember when WannaCry hit (2017?) and a new CIO demanded every single platform was to be patched to the latest level by the end of the week. Chaos. We had teams running 24/7 on it. We didn’t get it done by the end of the week 
1 Like
I’m not sure if Steve, or anyone else, has pointed this out, but an outdated or unpatched mail server, or, for that matter, a server of any kind, is a risk. I know that much is obvious, but the danger
here is that an attacker can exploit a flaw, jump in, and use it to spew spam/malware. So, in this case, Microsoft probably did the right thing and to not defend them, but it has the potential to affect not just the organization running the outdated server.
Although, saying that, I would expect a mail server to be running behind a firewall and spam filtering system
1 Like
The problem is, you are damned if you update, damned if you don’t update.
Often, applying a Microsoft patch to Exchange will cripple it, and you will spend days trying to get it working again, which is why people tend to only update when there is no other option. Microsoft are their own worst enemy, when it comes to Exchange.
2 Likes
Microsoft presumably can control what inputs the CURRENT version of the software will accept. (Obvious because they’re proposing to limit what it will accept.) Rather than spending their energy coming up with restrictions of who they will accept email from (so called out of patch server’s users) they should be spending all their energy blocking unacceptable content (the emails themselves.) If none/few of the emails pose a problem (as is likely the case) then there would be blockage and no upset mail server owners. If a large proportion of problem emails are coming from a certain subset of servers, then maybe it would be wise to block those servers in any case. (More likely, it would be smarter to filter such emails of any attachments and links but still let the email through with an attached warning about the filtering, and of course maybe even take them for delivery directly to a spam folder.)
1 Like
I think we’ve been missing the point of this move – these old unpatched servers are spewing phishing and spam messages that put everybody at risk. Either they have been hacked (they are unpatched!) or they are actively spamming/phishing.
Roughly 90% of breaches start with phishing – blocking phishing is a top priority for most organizations. One inattentive user can compromise the whole organization. Even expensive enterprise-level email defense systems let some bad messages get through. Blocking these low-quality senders is a reasonable heuristic for phishing protection.
1 Like
What basis do you have to believe that? I presume the server admin would take action if his/her server is attacked. It’s much more likely these are small servers locked in a small company firewall, serving a small number of corporate users, and it’s all going swimmingly and there is no indication they need spend any further money to have what they view as a working email server.
2 Likes
No, there is a possibility that they are infected, that isn’t a given.
Without seeing Microsoft’s data we can only speculate. The practical (cynical) cybersecurity approach is to assume bad intent and/or compromise of these senders. There are probably a few cases where a beleaguered server admin doesn’t have the budget to upgrade and patch their servers. Sorry guys - contact us and we’ll whitelist you.
Why so cynical? My company gets about a 500K malicious messages daily (phishing, spam/gray-mail/etc.) Given the disproportionate risk of one of 100K+ employees engaging with phishing and compromising the network, it is prudent to block first. (For us this means routing questionable messages to junk and deleting malicious). You can always unblock if someone complains.
I don’t manage the email security systems but I work with the people who do. They block aggressively. Again speculation, but I expect Microsoft has calculated the risk/benefit and has made a similar decision.
The practical cybersecurity approach is to scan the incoming mail for malware or phishing and if it is, block it, if it is coming in bulk or from multiple addresses on a domain, you blacklist the domain. It can just as easily come from an open source mail server, Yahoo, GMX etc.
Or you go in the other direction, you reject all mail on first contact and get the sender to send again, to confirm they aren’t a bot, or to respond to a specific address to get cleared.
There are many lists out there which contain bad servers. They are all generated by the actions of those servers, not based on what those servers are running.
We use several layers of blocking (hoster blacklists, local blacklists, AV on the mail server and AV on the clients), but, unless the sender domain or address is a known fishing one, we don’t block them.
It seems there is some confusion about what this announcement really means. There is a longer explanation by Tony Redmond here but the short version is “Servers that do not handle the transmission of email to Exchange Online via an inbound connector are unaffected.” If your old Exchange server is sending E-Mail via SMTP to Exchange Online you are fine.