It’s 8:30 A.M. You’ve finished booting up your machine and you’re preparing for the day ahead. Your boss suddenly storms in with an infuriated look on his face. “Insert Your Name Here, we’ve got a big problem! Someone is e-mailing pornographic spam from our company. An offended customer e-mailed us with a copy of the spam and is threatening legal action unless we take care of it IMMEDIATELY! How did this happen? I want the employee responsible found and brought to my attention!” He throws down a copy of the e-mail on your desk and walks out even more upset than when he first came in. You look at the header of the e-mail and notice that the originating e-mail address is not someone at your company but an outside source. Inside the header, you also find your Exchange server listed. You realize you are the victim of mail relaying.

What is mail relaying?
Mail relaying is essentially when someone taps port 25 on your Exchange Server and uses it to send his or her spam. Mail relaying not only uses up the resources of your already-busy Exchange Server but also makes it nearly impossible for those who receive the spam to unsubscribe. On top of that, you appear to be the offending source of the spam because your mail server name is more prominent than the spammer’s originating e-mail address, which is hidden deep within the header.

This mail relay ability is available by default on any Exchange Server installation. For some organizations, it’s a useful function and can help them streamline the performance of their mail servers. But for others, it may be unnecessary, just offering an open hole for a spammer.
To determine whether you’re open to relaying, follow these steps:

  1. Open the command prompt.
  2. Type telnet YOUR EXCHANGE SERVER 25

Example: telnet exchange 25The Exchange Server should respond with a response similar to this:220 ESMTP Server <Microsoft Exchange Internet Mail Service 5.5.2650.21> ready
When you type the information below, please note that the text will not appear, so type slowly to ensure accuracy.

  1. Type MAIL FROM:

The server should come back with250 OK

  1. Type RCPT TO:

The server’s response should be550 Relaying is prohibited
If it instead shows250 OK – Recipient <>
you are open to relaying.
Keeping out the spam
So, let’s say you’ve determined that you’re susceptible to relaying—how do you turn it off? If you’re running Exchange 5.5 with Service Pack 2, you’re in luck. There are steps to correct the problem. If you’re running an earlier version, it is time to install or upgrade to 5.5 with SP2. There is no way to close this hole in previous versions.

For those of you with Exchange 5.5/SP2, there is an informative article on Microsoft’s TechNet Exchange site. The only problem is that the article doesn’t tell you what to do if you want to stop relaying but still allow POP3 e-mail users. If you follow the instructions to the letter, you’ll find that your POP3 users will no longer be able to send e-mail externally. It will bounce back to them, even if they’re authenticated.

To avoid the POP3 problem, be sure to select the Hosts And Clients That Successfully Authenticate box in the routing restrictions settings. After you change the settings, you’ll be required to stop and restart the Internet Mail Connector for the changes to take effect. Run the mail relay test again, and you should see the message
550 Relaying is prohibited

Keep in mind that an ingenious spammer can still hack in to learn one of your account names and passwords to relay messages. In that case, you’ll have to decide, along with the powers that be, whether POP3 is really necessary. If it is, you’ll need to keep up with all the IP addresses that are allowed to access the server.

Do not get on the list
What can mail relaying do to you besides hijack your server? Well, it can get you blacklisted. There are organizations out there that are actively trying to stop spammers. They compile lists of spammers, as well as servers that are open to relaying. The groups offer the lists for download (often for free) by mail system administrators wanting to avoid spam.

Those who have been blacklisted find themselves unable to send mail to people they were previously able to e-mail. They may also find that when sending mail to servers that use this service, they receive messages telling them that any mail from their domain is no longer accepted due to their listing on those services. Once you’re blacklisted, the only way to get your server off the list is for you to prohibit relaying and then submit to the blacklisting organizations that you no longer allow it. They will test your server and clear you once you’ve proved that relaying is no longer available. Your full clearance may take a few days so all subscriber DNS databases have time to refresh the data. You either stop the relaying or you live with not being able to e-mail some people.
If you’re interested in these services, want to know more about mail relaying, or would like to know where to go to get unblocked, the following URLs may help. Note that I’m providing them for reference only. Since some of the practices of these organizations are controversial, please understand that neither I nor TechRepublic endorses or condemns them.Network Abuse ClearinghouseUC Davis Mail Relay ResourcesMail Abuse Prevention System (MAPS)MAPS Relay spam StopperMAPS Relay Stopping TechniquesMailShield
E-mail relaying is a real problem. It can have a wide range of effects, from a server that is brought to its knees to blacklisting to lawsuits against your company. Take it seriously and address it like you would any other issue with Exchange. Hopefully, this information, along with the information you might find on the above Web sites, will allow you to make an informed decision and implement some effective practices.
Got a spam story you would like to tell? Start a discussion by clicking Post A Comment or send the editor an e-mail.