Home       Docs       Firewalls       Wireless       Utils        SMTP       Router       Port Scan       IDS       Web   
 
    

  Howto Test your SMTP server for open relay 

If your SMTP server accepts incoming TCP connections from the Internet, your server can be used by spammers as a mail relay engine. Mail relays can distribute their messages (SPAM) all over the world using your server as an open relay.

To test for open relay telnet into your mail server by using telnet 192.168.1.1 25
It takes a bit getting used to as the key strokes are not echo'd back to you. (See Note at the bottom)  If you get it wrong the server will spit at you. Your input in White and Server Responses in Red.

220 mail.Yourserver.net Microsoft ESMTP MAIL Service, Version: 5.0.219
5.4905 ready at Thu, 30 May 2002 21:26:22 +1200

HELO

250 mail.Yourserver.net Hello [192.168.1.2]

MAIL FROM:test@test.com
250 2.1.0 test@test.com....Sender OK

RCPT TO:someone@somewhere.com
250 2.1.5 someone@somewhere.com

DATA
354 Start mail input; end with .

From: whoever@wherever.com (Name)

To: someone@somewhere.com

Subject: Whatever

Reply-To: whoever@wherever.com

Your message....

.
250 2.6.0 Queued mail for delivery

QUIT
221 2.0.0 mail.Yourserver.net Service closing transmission channel


Connection to host lost.

 

And there you go, you've just sent a anonymous e-mail using open relay. 

Some systems require you to enclose e-mail address's with < >,

If you get a message similar to the one below after typing RCPT TO: address:

550 5.7.1 Unable to relay for someone@somewhere.com

The mail server does not allow open relay and won't forward Spam all over the net.

You could try to encapsulate commands to fool unpatched servers with the following command:

RCPT TO: IMCEASMTP-test+40test+2Whoever@wherever.com

Some tricks that you might want to try:

  • Use a blank or null From address
  • Replace the @ with a % sign e.g.: RCPT TO:someone%somewhere.com
  • Use IP addresses of local Server, MAIL FROM:whoever@192.168.1.1
  • Encapsulate the address in quotations, MAIL FROM: whoever@192.168.1.1

You can try to make a POST request via a proxy server:

        POST http://victim:25/ HTTP/1.1
        Host: victim
        (empty line)
        HELO spammer
        MAIL FROM: <..>
        RCPT TO: <..>
        DATA
        spam
        .
The SMTP-server will most likely complain about unsupported SMTP-commands "POST", "Host:", "X-Forwarded-For" and so on, but many will just silently accept the junkmail after these commands.

You can also pop a text file in the mail pick up directory.  The SMTP server will grab the file and deliver it for you. This can be done via a batch file and is a easy way to send automated e-mail alerts

By default the MS Exchange 2000 Server pickup Directory is located in:
C:\Program Files\Exchsrvr\Mailroot\vsi 1\PickUp

The file should be saved without any extensions and formatted as follows:

x-sender: Alert@email.net
x-receiver: info@domain.net
From: Alert@email.net
To: info@domain.net
Subject: Test Email

This is a test.

Advisories / Reference:
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/security/bulletin/ms99-027.asp
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q304897

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q310380

Setting Up SMTP Domains for Inbound and Relay E-Mail in Exchange 2000 Server
"This article describes how to set up Simple Mail Transfer Protocol (SMTP) domains for inbound and relay e-mail in Exchange 2000 Server."

How to Configure the SMTP Connector in Exchange 2000
"In Exchange 2000, the Simple Mail Transfer Protocol (SMTP) connector replaces the Internet Mail Service in earlier versions of Exchange Server. This article explains how to configure the SMTP connector. "

How to Receive Messages for Two SMTP Domains Using Exchange 2000
"How to receive messages from two Simple Mail Transfer Protocol (SMTP) domains in Exchange 2000. For example, you can use the procedure described in this article if you change your organization name from companya to companyb, and you use companyb.com as your SMTP domain name instead of companya.com." 

Notes:
Use The Following to turn on local echo on a Windows 2000 Telnet Session

  • Start a Telnet session from the command prompt
  • Enter Command set local_echo

Thanks to Open7 for the tip.

Copyright 2002-2003 Security Wizards
Powered by CITS    Terms Of Use    Privacy Statement
Source code is copyright © 2002-2003 by Commercial IT Services. Derived from DotNetNuke