Al Mayadeen Origin IP Mapping — Verified Feb 28, 2026 via Tor
==============================================================

REACHABLE (Exchange servers, no Cloudflare):
  80.81.152.37  → BHS-EX08.ITTIHADTV.LOCAL (Exchange Frontend CAS #2)
                   - OWA, ECP, EWS, MAPI, RPC, ActiveSync, PowerShell all accessible
                   - No Cloudflare WAF protection
                   - SSRF backend leak working (X-BEServer, X-CalculatedBETarget)
                   - Federation metadata accessible
                   - web.config returns 302 redirect (not blocked)
                   - aspnet_client returns 500 (IIS error)

  89.249.221.252 → BHS-EX09.ITTIHADTV.LOCAL (Exchange Frontend CAS #1)
                   - Same as above, primary frontend
                   - OWA accessible
                   - Federation metadata accessible

UNREACHABLE (Cloudflare-only, no direct access):
  80.81.152.41   → Web origin 1 (CMS/website)
  89.249.221.244 → Web origin 2 (CMS/website)

UNREACHABLE:
  89.249.221.245 → FTP server (no response on 80, 443, 21)

MX RELAY:
  194.126.9.230  → Not tested (external relay)

KEY FINDING: Exchange servers are directly accessible on the internet without
Cloudflare protection. All OWA, ECP, EWS, MAPI, RPC, ActiveSync, PowerShell,
and autodiscover endpoints are accessible at the raw IP addresses. The web/CMS
origins are properly protected behind Cloudflare.

This means:
  1. Credential brute-force against Exchange can bypass Cloudflare rate limiting
  2. Exploits against the 6 unpatched CVEs can be sent directly to the server
  3. NTLM relay attacks possible without WAF interference
  4. No DDoS protection on the Exchange mail servers