If your SMTP
server accepts incoming TCP connections from the Internet, your server can
be used by spammers as a mail relay engine. Mail relays can distribute their
messages (SPAM) all over the world using your server as an open relay.
To test for open relay telnet into your mail server by using
telnet 192.168.1.1 25
It takes a bit getting used to as the key
strokes are not echo'd back to you. (See Note at the bottom) If
you get it wrong the server will spit at you. Your input in White and
Server Responses in Red.
220 mail.Yourserver.net
Microsoft ESMTP MAIL Service, Version: 5.0.219
5.4905 ready at Thu, 30
May 2002 21:26:22 +1200
HELO
250 mail.Yourserver.net Hello
[192.168.1.2]
MAIL FROM:test@test.com
250 2.1.0 test@test.com....Sender OK
RCPT TO:someone@somewhere.com
250 2.1.5 someone@somewhere.com
DATA
354 Start mail
input; end with .
From: whoever@wherever.com (Name)
To: someone@somewhere.com
Subject: Whatever
Reply-To: whoever@wherever.com
Your message....
.
250 2.6.0
Queued mail for
delivery
QUIT
221 2.0.0
mail.Yourserver.net Service closing transmission
channel
Connection to host lost.
|
And there you go, you've just sent a anonymous e-mail using open
relay.
Some systems require you to enclose e-mail address's with < >,
If you get a message similar to the one below after typing RCPT TO:
address:
550 5.7.1 Unable to relay for someone@somewhere.com
The mail server does not allow open relay and won't forward Spam all over
the net.
You could try to encapsulate commands to fool unpatched servers with the
following command:
RCPT TO: IMCEASMTP-test+40test+2Whoever@wherever.com
Some tricks that you might want to try:
- Use a blank or null From address
- Replace the @ with a % sign e.g.: RCPT TO:someone%somewhere.com
- Use IP addresses of local Server, MAIL FROM:whoever@192.168.1.1
- Encapsulate the address in quotations, MAIL FROM: whoever@192.168.1.1
You can try to make a POST request via a proxy server:
POST http://victim:25/
HTTP/1.1
Host:
victim
(empty
line)
HELO
spammer
MAIL FROM:
<..>
RCPT TO:
<..>
DATA
spam
.
The SMTP-server will
most likely complain about unsupported SMTP-commands "POST", "Host:",
"X-Forwarded-For" and so on, but many will just silently accept the junkmail
after these commands.
You can also pop a text file in the mail pick up directory. The
SMTP server will grab the file and deliver it for you. This can be done via
a batch file and is a easy way to send automated e-mail alerts
By default the MS Exchange 2000 Server pickup Directory is located
in:
C:\Program Files\Exchsrvr\Mailroot\vsi
1\PickUp
The file should be saved without any extensions and formatted as
follows:
x-sender: Alert@email.net
x-receiver: info@domain.net
From:
Alert@email.net
To: info@domain.net
Subject: Test Email
This is
a test. |
Advisories / Reference:
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/security/bulletin/ms99-027.asp
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q304897
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q310380
Setting Up SMTP Domains for Inbound and Relay E-Mail in
Exchange 2000 Server
"This article describes how to set up Simple
Mail Transfer Protocol (SMTP) domains for inbound and relay e-mail in
Exchange 2000 Server."
How to Configure the SMTP Connector in Exchange
2000
"In Exchange 2000, the Simple Mail Transfer Protocol (SMTP)
connector replaces the Internet Mail Service in earlier versions of Exchange
Server. This article explains how to configure the SMTP connector.
"
How to Receive Messages for Two SMTP Domains Using Exchange
2000
"How to receive messages from two Simple Mail Transfer Protocol
(SMTP) domains in Exchange 2000. For example, you can use the procedure
described in this article if you change your organization name from companya
to companyb, and you use companyb.com as your SMTP domain name instead of
companya.com."
Notes:
Use The Following to turn on local
echo on a Windows 2000 Telnet Session
- Start a Telnet session from the command prompt
- Enter Command set local_echo
Thanks to Open7 for the tip. |