Tech

Guides
 

Prevent open relays on Exchange Server

By Michael Mullins, Special to ZDNet Asia
Tuesday, May 15, 2007 10:21 AM
Open relays on corporate networks are a contributing factor to the volume of unsolicited e-mail currently flying around the Internet. Are your e-mail servers vulnerable to mail relaying?
Open mail relays--e-mail servers that allow third-party transmission of messages--are a significant contributing factor to the volume of unsolicited e-mail currently flying around the Internet. Spammers send millions of junk e-mail messages daily, and open mail relays make the process easier.

However, most companies are unaware that spammers are taking advantage of the organization's e-mail servers for such nefarious purposes. Depending on the version of Exchange server that your organization is running, you might be vulnerable to mail relaying. Let's look at how you can find out.

Defining the problem
Mail relaying occurs when e-mail sent from one server routes to an intermediate e-mail server, which then delivers it to the recipient's e-mail server. But there are, in fact, legitimate uses for a mail relay.

For example, you might have a e-mail server that serves as your Internet bridge server. That server receives e-mail from the Internet and distributes it to a cluster of internal e-mail servers.

However, spammers who want to disguise the point of origin for their spam messages will route their junk e-mail through a mail relay to confuse the recipient. Seeing an e-mail from a legitimate address can easily dupe users into thinking the message is worthy of attention.

Checking your vulnerability
You can check your organization's Exchange servers to determine whether they're vulnerable to mail relay. The best way to do so is using a workstation from outside the company's network.

To check your servers, you need to know the fully qualified domain name (FQDN) for your e-mail server. If you don't know the FQDN, you can find it rather easily. Follow these steps:

  1. Go to Start | Run, type cmd, and click OK.
  2. At the command prompt, type nslookup, and press [Enter].
  3. Type set type=mx, and press [Enter].
  4. Type the domain name of your organization (e.g., techrepublic.com).

The results will show an MX preference that lists the name(s) of the Exchange server.

To determine whether your Exchange servers are vulnerable to open relays, follow these steps:

  1. Go to Start | Run, type telnet, and click OK.
  2. At the Telnet command prompt, type set localecho, and press [Enter].
  3. Type open <name.of.exchange.server> 25, replacing <name.of.exchange.server> with the FQDN of the Exchange server. 25 signifies the port you want to connect to. (TCP/IP port 25 is for SMTP.)

Your telnet console should return a result that looks something like the following. (The Version will vary, depending on the version of your Exchange server.)

220 <name.of.exchange.server> Microsoft ESMTP MAIL Service, 
Version: 6.0.3790.1830 ready at –date- -0500
  1. Next, type ehlo <anotherdomain.com>, replacing <anotherdomain.com> with any domain except your own, and press [Enter].

This will return some output, and the last line of the result should be:

250 OK
  1. Type mail from:<youremailaddress@anotherdomain.com>, replacing youremailaddress@anotherdomain.com with a valid e-mail address, and press [Enter].

This will return some more output, and the last line of the result should say:

250 2.1.0 youremailaddress@anotherdomain.com...Sender OK
  1. Type rcpt to:hacker@spammail.com, and press [Enter].

If you see the following result, you have an open relay and need to take action.

250 2.1.5 hacker@spammail.com

Stopping the relay
If you discover that your organization has an open relay, you need to stop it. To stop open relaying on the Default SMTP Virtual Server, follow these steps:

  1. Go to Start | All Programs | Microsoft Exchange | Exchange System Manager.
  2. Expand Servers, expand <Servername> (the name of your Exchange server), expand Protocols, and expand SMTP.
  3. Right-click Default SMTP Virtual Server, and select Properties.
  4. On the Access tab, click the Relay button at the bottom.
  5. Select the Only The List Below check box, and remove any entries in the list that aren't a part of your business network.
  6. Select the Allow All Computers Which Successfully Authenticate To Relay, Regardless Of The List Above check box.
  7. Close all dialog boxes.

Your Exchange server will now only relay mail for authenticated computers and computers that you have specifically allowed.

Final thoughts
Exchange Server 2003 disables open mail relay by default. And unless you've made some major changes to its SMTP configuration, Exchange Server should have this disabled as well.

However, if you suspect that your server is vulnerable to mail relaying, it's worth checking out. Make sure your organization is part of the security solution--and not part of the problem.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.



WORTHWHILE?

0

0 votes
Blog

Talkback 0 comments

There are currently no comments for this post.


Guest user

Guest user

Level: 
Joined: —
Already a member? Log in »



 

Loading...

Whitepapers/Case Studies

Downloads

Internet Security News



Tech Jobs Now!


Search for your ideal tech job:

Tags

  1. authentication and encryption
  2. business security
  3. chad perrin
  4. computer
  5. data security
  6. michael kassner
  7. microsoft corp.
  8. microsoft windows
  9. network
  10. network security
  11. operating system
  12. password
  13. pc security
  14. security
  15. security applications / tools
  16. security implementation / standards
  17. security management
  18. server
  19. tool
  20. web