• Closed Relay – SMTP Auth Attack

    July 7th, 2008, by dcawley


    A few days ago, I received a phishing e-mail to a personal e-mail account. Out of curiosity, I happened to check the received headers and noticed it had been relayed via an Exchange server. A quick check of the company website of the Exchange server operator, indicated it was very likely a legitimate mail server being abused as a relay. My first thought was that the Exchange server had been mis-configured as an open relay but with a little investigation I found it was actually a closed relay, victim to an SMTP Auth attack.

    An Open Relay allows anyone to connect to the mailserver and send e-mail to anyone from it. This was a typical default configuration at the time but due to their abuse by spammers this quickly changed. System administrators had to close the relays, so that mail would only be accepted for local domains or else end up having their outbound mailserver listed on multiple block lists. At one time, the majority of spam originated from open relays but due to aggressive blocking this dropped to a small percentage over time as the use of botnets took over.

    So what is a closed relay? To allow remote users to authenticate to the outbound mailserver, SMTP-AUTH can be used. Unfortunately, a spammer can perform a brute force attack to guess the username and password to an account on the mailserver. In the case I mentioned above, they were able to guess one of the common usernames and break a weak password. Once the spammer was able to authenticate with the mailserver, they were then free to use it as a relay even though it wasn’t mis-configured as an open relay.

    I should point out that this type of attack has been happening for years. However, it seems to be increasing in popularity in recent months. I contacted the company responsible for the exchange server and explained that an account had been compromised and the consequences. They had already been listed on one blocklist, which even provided samples of phishing e-mails originating from their server. Fortunately, they were quickly able to secure their server and be removed from the blocklist before it damaged their business due to blocked e-mails. So if your mailserver is using SMTP Auth consider whether it’s actually needed and if so, if it’s sufficiently protected against SMTP Auth attacks.

    4 Responses to “Closed Relay – SMTP Auth Attack”

    1. July 07, 2008 at 11:08 am, Ken Simpson said:

      I like the futuristic picture in this post.

    2. July 07, 2008 at 6:26 pm, frnkblk said:

      Good posting. I haven’t seen very strong support by MTAs to identify SMTP AUTH brute force attacks.

      Any comments on what vendors are doing, between Exchange (using AD on the backend), LDAP-based auth, and native system AUTH?

    3. July 10, 2008 at 6:39 pm, frnkblk said:

      Incidentally, a vendor who has customized qmail (among other things) mentioned to me that they have rate-limiters per IP and username for just that aspect.

      Frank

    4. July 11, 2008 at 10:42 am, David Cawley said:

      Hi Frank,

      Thanks for the feedback and interesting questions and comments. I’ve posted a follow up to this blog post which is published here

    Add Comment Register



    Leave a Reply