If your SMTP server accepts incoming TCP connections from the Internet, your server can be used by spammers as a mail relay engine. Mail relays can distribute their messages (SPAM) all over the world using your server as an open relay.
To test for open relay telnet into your mail server by using telnet 192.168.1.1 25
It takes a bit getting used to as the key strokes are not echo'd back to you. (See Note at the bottom) If you get it wrong the server will spit at you. Your input in White and Server Responses in Red.
220 mail.Yourserver.net Microsoft ESMTP MAIL Service, Version: 5.0.219
5.4905 ready at Thu, 30 May 2002 21:26:22 +1200
HELO
250 mail.Yourserver.net Hello [192.168.1.2]
MAIL FROM:test@test.com
250 2.1.0 test@test.com....Sender OK
RCPT TO:someone@somewhere.com
250 2.1.5 someone@somewhere.com
DATA
354 Start mail input; end with .
From: whoever@wherever.com (Name)
To: someone@somewhere.com
Subject: Whatever
Reply-To: whoever@wherever.com
Your message....
.
250 2.6.0 Queued mail for delivery
QUIT
221 2.0.0 mail.Yourserver.net Service closing transmission channel
Connection to host lost.
|
And there you go, you've just sent a anonymous e-mail using open relay.
Some systems require you to enclose e-mail address's with < >,
If you get a message similar to the one below after typing RCPT TO: address:
550 5.7.1 Unable to relay for someone@somewhere.com
The mail server does not allow open relay and won't forward Spam all over the net.
You could try to encapsulate commands to fool unpatched servers with the following command:
RCPT TO: IMCEASMTP-test+40test+2Whoever@wherever.com
Some tricks that you might want to try:
- Use a blank or null From address
- Replace the @ with a % sign e.g.: RCPT TO:someone%somewhere.com
- Use IP addresses of local Server, MAIL FROM:whoever@192.168.1.1
- Encapsulate the address in quotations, MAIL FROM: whoever@192.168.1.1
You can try to make a POST request via a proxy server:
POST http://victim:25/ HTTP/1.1
Host: victim
(empty line)
HELO spammer
MAIL FROM: <..>
RCPT TO: <..>
DATA
spam
.
The SMTP-server will most likely complain about unsupported SMTP-commands "POST", "Host:", "X-Forwarded-For" and so on, but many will just silently accept the junkmail after these commands.
You can also pop a text file in the mail pick up directory. The SMTP server will grab the file and deliver it for you. This can be done via a batch file and is a easy way to send automated e-mail alerts
By default the MS Exchange 2000 Server pickup Directory is located in:
C:\Program Files\Exchsrvr\Mailroot\vsi 1\PickUp
The file should be saved without any extensions and formatted as follows:
x-sender: Alert@email.net
x-receiver: info@domain.net
From: Alert@email.net
To: info@domain.net
Subject: Test Email
This is a test. |
Advisories / Reference:
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/security/bulletin/ms99-027.asp
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q304897
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q310380
Setting Up SMTP Domains for Inbound and Relay E-Mail in Exchange 2000 Server
"This article describes how to set up Simple Mail Transfer Protocol (SMTP) domains for inbound and relay e-mail in Exchange 2000 Server."
How to Configure the SMTP Connector in Exchange 2000
"In Exchange 2000, the Simple Mail Transfer Protocol (SMTP) connector replaces the Internet Mail Service in earlier versions of Exchange Server. This article explains how to configure the SMTP connector. "
How to Receive Messages for Two SMTP Domains Using Exchange 2000
"How to receive messages from two Simple Mail Transfer Protocol (SMTP) domains in Exchange 2000. For example, you can use the procedure described in this article if you change your organization name from companya to companyb, and you use companyb.com as your SMTP domain name instead of companya.com."
Notes:
Use The Following to turn on local echo on a Windows 2000 Telnet Session
- Start a Telnet session from the command prompt
- Enter Command set local_echo
Thanks to Open7 for the tip. |