An SMTP service installs by default as part of Windows 2000 server products, and can be selected for installation on Windows 2000 Professional. A vulnerability results because of a flaw in the authentication process used by the service. The vulnerability could allow an unauthorized user to successfully authenticate to the service using incorrect credentials. An attacker who exploited the vulnerability could gain user-level privileges on the SMTP service, thereby enabling the attacker to use the service but not to administer it. The most likely purpose in exploiting the vulnerability would be to perform mail relaying via the server.

A patch is available to fix this vulnerability. Please read the Security Bulletin http://www.microsoft.com/technet/security/bulletin/ms01-037.asp for information on obtaining this patch.