[Dshield] Exchange Open Relay

Patrick Andry pandry at wolverinefreight.ca
Wed Feb 22 20:14:10 GMT 2006

Arthur Neville wrote:
> Greetings
>   Q:
>   I posted before about how my domain is being whacked by Spam and how some users are contsantly getting hammered
>   I checked our public facing email server to see if its an Open Relay....
>   I was able to telnet into 25 and send mail from the outside hmmmmm
>   We use an intranet and within that intranet there is windows integrated authenticated, we are using Outlook Web Access and Outlook Mobile Access for our smartphones
>   I heard one of the WinAdmins speak about needing SMTP to communicate between the servers and that there are no open relay's.... duhhhh guess what
>   I went to one of the sites that checks the site to see if it is on any DNSBNL's and voila we are on about 50 dnsbl's on the net.....
>   Does that mean we have someone using our server as an open relay ???
>   Or we have someone who has some bots on his box or boxes....
>   In any event....thats the scoopla, I am well versed in the art of reading so if you have some links or info that would be helpful that would be kewl
>   thanks
>   art
> ---------------------------------
> Brings words and photos together (easily) with
>  PhotoMail  - it's free and works with Yahoo! Mail.
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your own couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

Which version of Exchange?  Exchange 5.5 is an open relay by design, and 
you need to edit a registry key to turn it off.  Exchange 2000 is, iirc, 
secured against it.

Exchange, even properly secured, will fail some of the open relay tests, 
due to the handling of the inbound mail.  It accepts pretty much all 
mail, then will decide if it needs to be discarded.  If you test your 
mailserver using some of the online open relay tests, be aware of this. 

The spambots are pretty easy to choke out at the firewall.  Just deny 
all traffic destined to the internet on port 25 from everything but your 
mail server.  Web scripts are notorious for e-mail relay, and any 
contact forms should be audited.  Anti-virus and anti-adware software 
will find any rogue clients.

Finally, a big "mea culpa" to all of the blacklists, coupled with time 
and good behavior, will get you off the lists.

More information about the list mailing list