Open mail relays—e-mail servers that allow third-party
transmission of messages—are a significant contributing factor to the volume of
unsolicited e-mail currently flying around the Internet. Spammers send millions
of junk e-mail messages daily, and open mail relays make the process easier.
However, most companies are unaware that spammers are taking
advantage of the organization’s e-mail servers for such nefarious purposes. Depending
on the version of Exchange server that your organization is running, you might
be vulnerable to mail relaying. Let’s look at how you can find out.
Defining the problem
Mail relaying occurs when e-mail sent from one server routes
to an intermediate e-mail server, which then delivers it to the recipient’s e-mail
server. But there are, in fact, legitimate uses for a mail relay.
For example, you might have a e-mail server that serves as
your Internet bridge server. That server receives e-mail from the Internet and
distributes it to a cluster of internal e-mail servers.
However, spammers who want to disguise the point of origin
for their spam messages will route their junk e-mail through a mail relay to
confuse the recipient. Seeing an e-mail from a legitimate address can easily
dupe users into thinking the message is worthy of attention.
Checking your vulnerability
You can check your organization’s Exchange servers to
determine whether they’re vulnerable to mail relay. The best way to do so is
using a workstation from outside the company’s network.
To check your servers, you need to know the fully qualified
domain name (FQDN) for your e-mail server. If you don’t know the FQDN, you can
find it rather easily. Follow these steps:
- Go
to Start | Run, type cmd, and
click OK. - At
the command prompt, type nslookup,
and press [Enter]. - Type
set type=mx, and press [Enter]. - Type
the domain name of your organization (e.g., techrepublic.com).
The results will show an MX preference that lists the
name(s) of the Exchange server.
To determine whether your Exchange servers are vulnerable to
open relays, follow these steps:
- Go to
Start | Run, type telnet, and click
OK. - At
the Telnet command prompt, type set
localecho, and press [Enter]. - Type open <name.of.exchange.server> 25,
replacing <name.of.exchange.server> with the FQDN of the Exchange
server. 25 signifies the port you want to connect to. (TCP/IP port 25 is
for SMTP.)
Your telnet console should return a result that looks something
like the following. (The Version will vary, depending on the version of your
Exchange server.)
220 <name.of.exchange.server> Microsoft ESMTP MAIL Service,
Version: 6.0.3790.1830 ready at –date- -0500
- Next,
type ehlo <anotherdomain.com>,
replacing <anotherdomain.com> with any domain except your own, and press [Enter].
This will return some output, and the last line of the
result should be:
250 OK
- Type mail from:<youremailaddress@anotherdomain.com>,
replacing youremailaddress@anotherdomain.com with a valid e-mail address, and
press [Enter].
This will return some more output, and the last line of the
result should say:
250 2.1.0 youremailaddress@anotherdomain.com...Sender OK
- Type rcpt to:hacker@spammail.com, and
press [Enter].
If you see the following result, you have an open relay and
need to take action.
250 2.1.5 hacker@spammail.com
Stopping the relay
If you discover that your organization has an open relay,
you need to stop it. To stop open relaying on the Default SMTP Virtual Server,
follow these steps:
- Go to
Start | All Programs | Microsoft Exchange | Exchange System Manager. - Expand
Servers, expand <Servername> (the name of your Exchange server),
expand Protocols, and expand SMTP. - Right-click
Default SMTP Virtual Server, and select Properties. - On the
Access tab, click the Relay button at the bottom. - Select
the Only The List Below check box, and remove any entries in the list that
aren’t a part of your business network. - Select
the Allow All Computers Which Successfully Authenticate To Relay, Regardless
Of The List Above check box. - Close
all dialog boxes.
Your Exchange server will now only relay mail for
authenticated computers and computers that you have specifically allowed.
Final thoughts
Exchange Server 2003 disables open mail relay by default. And
unless you’ve made some major changes to its SMTP configuration, Exchange
Server should have this disabled as well.
However, if you suspect that your server is vulnerable to
mail relaying, it’s worth checking out. Make sure your organization is part of
the security solution—and not part of the problem.
Miss a column?
Check out the Security Solutions Archive,
and catch up on the most recent editions of Mike Mullins’ column.
Worried about security issues? Who isn’t? Automatically
sign up for our free Security Solutions newsletter, delivered each Friday,
and get hands-on advice for locking down your systems.
Mike Mullins has served as an assistant
network administrator and a network security administrator for the U.S. Secret
Service and the Defense Information Systems Agency. He is currently the
director of operations for the Southern Theater Network Operations and Security
Center.