by admin on June 28, 2006 01:30pm

Spam is a well-known problem for many on the Internet. If you have an email account anywhere, chances are you’ve gotten something you didn’t ask for; a “stock tip”, an adult entertainment solicitation, or possibly a plea from an altruistic member of the “[Random Nation] Royal Family” to assist in some friendly money-laundering.

As the anti-spam movement gets craftier, so do the spammers. Fortunately for the spammers and unfortunately for the internet, there are a wealth of open-relay mail servers should have never been put online. While most common and current-version SMTP software is secure by default, there are plenty of people who still run outdated software, never bothered to upgrade, or configure properly in its present state.

If you are tasked with administering and monitoring a large portion of IP space assigned to people with autonomous control of machines on an externally visible network, this problem can get to be a thorn in your side very quickly - just ask any ISP that allows their customers to run servers.

If you’re not allotted much (or anything) of a software budget to purchase fancy enterprise tools to hunt down open relays on your network, there are some free and lightweight tools for Linux. One such utility is a small application written in C, called “smtprc” (smtp relay check): . This simple application takes about 10 minutes to set up.  First unzip it into your directory of choice. Next read the README file, and specifically check the Compilation/Installation section to make sure it ends up where you want it to. If not, edit the Makefile and put it where you want it to go. Do a “make” and “make install”, edit your scan configurations and go. It will output results to an html file (location specified in configuration). They will be color-coded by result. The collected data may then be used to notify administrators of vulnerable machines.

Note: Some older versions of NT Mail and Lotus Notes will turn out false positives. The messages smtprc attempts to relay are what I would call “passively rejected”. The SMTP server being tested will accept the inbound messages, but they are never actually delivered. When in doubt, it is best to test manually.

$ telnet  25   ß telnet to the host in question on port 25


Connected to

Escape character is '^]'.

220 ESMTP Sendmail 8.13.1/8.13.1; Wed, 14 Jun 2006 15:17:39 -0700

helo bleh                                  ß most mta’s now require a “helo/ehlo”

250 Hello [], pleased to meet you

mail from:<> ß sender address

250 2.1.0 <>... Sender ok

rcpt  ß intended recipient address.

250 2.1.5 <>... Recipient ok

data                    ß indicates message is now being written

354 Enter mail, end with "." on a line by itself

Subject: open relay?   ß can be anything

Hrrrm……                  ß message.

.        ß dot on a line by itself indicates end of message, server will queue for delivery

250 2.0.0 k5EMHdHl028091 Message accepted for delivery


221 2.0.0 closing connection

Connection closed by foreign host.


Check your mailbox in about 15-30 minutes. If it doesn’t arrive, chances are this is not an open relay.