Closed Relay – SMTP Auth AttackJuly 7th, 2008, by dcawley
A few days ago, I received a phishing e-mail to a personal e-mail account. Out of curiosity, I happened to check the received headers and noticed it had been relayed via an Exchange server. A quick check of the company website of the Exchange server operator, indicated it was very likely a legitimate mail server being abused as a relay. My first thought was that the Exchange server had been mis-configured as an open relay but with a little investigation I found it was actually a closed relay, victim to an SMTP Auth attack.
An Open Relay allows anyone to connect to the mailserver and send e-mail to anyone from it. This was a typical default configuration at the time but due to their abuse by spammers this quickly changed. System administrators had to close the relays, so that mail would only be accepted for local domains or else end up having their outbound mailserver listed on multiple block lists. At one time, the majority of spam originated from open relays but due to aggressive blocking this dropped to a small percentage over time as the use of botnets took over.
So what is a closed relay? To allow remote users to authenticate to the outbound mailserver, SMTP-AUTH can be used. Unfortunately, a spammer can perform a brute force attack to guess the username and password to an account on the mailserver. In the case I mentioned above, they were able to guess one of the common usernames and break a weak password. Once the spammer was able to authenticate with the mailserver, they were then free to use it as a relay even though it wasn’t mis-configured as an open relay.
I should point out that this type of attack has been happening for years. However, it seems to be increasing in popularity in recent months. I contacted the company responsible for the exchange server and explained that an account had been compromised and the consequences. They had already been listed on one blocklist, which even provided samples of phishing e-mails originating from their server. Fortunately, they were quickly able to secure their server and be removed from the blocklist before it damaged their business due to blocked e-mails. So if your mailserver is using SMTP Auth consider whether it’s actually needed and if so, if it’s sufficiently protected against SMTP Auth attacks.