RE: open relay on Exchange 2000

  • From: "Julio Danoviz" <jedanoviz@xxxxxxxxxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Wed, 4 Sep 2002 19:57:57 -0300

Yes, but an interesting issue is mail spoofing:

One of the vulnerabilities of the SMTP protocol is that it is possible to 
attack closed relays... the only thing you have to do is send an email to a 
fake email address, doing this the email will be sent back to the sender (that 
could be anybody from any domain I wish!).

 I could also include an attach... and the SMTP server would deliver this 
information included in the NDR! 

It's easy to see that I could generate a denial of service with this method 
using the SMTP server's resources and also attacking if I desire the "sender".

Unless you disallow non-delivery reports and perform reverse DNS lookups on 
incoming messages... but this has several disadvantages...

-----Original Message-----
From: Mark Fugatt [mailto:mark@xxxxxxxxx] 
Sent: Miércoles, 04 de Septiembre de 2002 06:50 p.m.
To: [ExchangeList]
Subject: [exchangelist] RE: open relay on Exchange 2000

They cannot just make up a username and password, it has to be a real
username and password.

Mark Fugatt
Pentech Office Solutions Inc
Tel:  585 586 3890
Fax: 585 249 0316
Cell: 585 576 4750
Visit for valuable information about Microsoft Exchange

-----Original Message-----
From: maplesoft@xxxxxxxxxxxxx [mailto:maplesoft@xxxxxxxxxxxxx]
Sent: Wednesday, September 04, 2002 5:49 PM
To: [ExchangeList]
Subject: [exchangelist] open relay on Exchange 2000

We have recently set up Exchange 2000. We wanted to make sure we did not
any open relays and followed the instructions given in Mark Fugatt's
"Understanding Relaying and Spam with Exhange 2000."

Testing with the telnet session is successful, however, if a spammer really
wants to use our server, all they need  to do is setup an Outlook Express
client with a bogus email address, tell OE to authenticate to our smtp
and provide a bogus username and password and the email will be relayed.

I do not know what we missed, but we must have missed something.  If anyone
has any ideas, we would greatly appreciated them.


You are currently subscribed to this Discussion List as:
To unsubscribe send a blank email to

You are currently subscribed to this Discussion List as: 
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts: