Q

How does a mail server respond to fake email addresses?

In this SearchSecurity.com Q&A, Ed Skoudis reviews the actions of a mail server when it is presented with a bogus email address.

During a security assessment, I found that I could connect to the SMTP gateway using Telnet. I tried sending mail from a fake domain, but it was detected as a mail relay and stopped. When I sent messages to fake employees inside the organization's domain, however, the mails were accepted. Can this be termed as a mail relay vulnerability? Can this be exploited for purposes other than social engineering? Most importantly, what is the best possible resolution?
What you describe is actually a very common situation and is not a cause for alarm. You can Telnet to most mail servers on TCP port 25 and send messages to the organization that uses the particular server. But, you should not be able to send email to other organizations. If you could, a spammer would find that mail server and use it to relay spam.

So, what actions should the mail server take if the destination email address is fake? Obviously, if the email address is valid, the mail server should deliver the message (perhaps after applying another layer of antispam detection). But, if the email is destined for a "fake employee," some mail servers will respond with a non-deliverable report (NDR) message. That way, if there was a real sender of the email, he or she could be informed...

that the message was rejected.

Other mail servers do not respond with an NDR message, and instead simply accept the email to the bogus address and silently discard it. The reason that some mail servers eschew NDRs (as the one you describe in your question does) is because their owners do not want a spammer to be able to try thousands of usernames and harvest valid ones. With NDRs, the attackers can differentiate valid from invalid addresses because the invalid ones will trigger an NDR, while the valid ones won't.

Whether or not to send NDRs is a point of some controversy. While they can offer a desirable business function (allowing legitimate senders to know that their messages weren't received), they also can help spammers. If a spammer spoofs a source email address, the NDRs will be directed to the victim's organization and domain. Thus, if a mail server is configured to send NDRs, a spammer could turn this functionality into a denial-of-service NDR flood against other organizations' mail servers.

More information:

  • Find out if email header information can be used to track down spoofers.
  • See how well the CAN-SPAM Act is stopping spam.
  • This was first published in February 2007
    This Content Component encountered an error

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    -ADS BY GOOGLE

    SearchCloudSecurity

    SearchNetworking

    SearchCIO

    SearchConsumerization

    SearchEnterpriseDesktop

    SearchCloudComputing

    ComputerWeekly

    Close