How does a mail server respond to fake email addresses?

How does a mail server respond to fake email addresses?

During a security assessment, I found that I could connect to the SMTP gateway using Telnet. I tried sending mail from a fake domain, but it was detected as a mail relay and stopped. When I sent messages to fake employees inside the organization's domain, however, the mails were accepted. Can this be termed as a mail relay vulnerability? Can this be exploited for purposes other than social engineering? Most importantly, what is the best possible resolution?

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

What you describe is actually a very common situation and is not a cause for alarm. You can Telnet to most mail servers on TCP port 25 and send messages to the organization that uses the particular server. But, you should not be able to send email to other organizations. If you could, a spammer would find that mail server and use it to relay spam.

So, what actions should the mail server take if the destination email address is fake? Obviously, if the email address is valid, the mail server should deliver the message (perhaps after applying another layer of antispam detection). But, if the email is destined for a "fake employee," some mail servers will respond with a non-deliverable report (NDR) message. That way, if there was a real sender of the email, he or she could be informed that the message was rejected.

Other mail servers do not respond with an NDR message, and instead simply accept the email to the bogus address and silently discard it. The reason that some mail servers eschew NDRs (as the one you describe in your question does) is because their owners do not want a spammer to be able to try thousands of usernames and harvest valid ones. With NDRs, the attackers can differentiate valid from invalid addresses because the invalid ones will trigger an NDR, while the valid ones won't.

Whether or not to send NDRs is a point of some controversy. While they can offer a desirable business function (allowing legitimate senders to know that their messages weren't received), they also can help spammers. If a spammer spoofs a source email address, the NDRs will be directed to the victim's organization and domain. Thus, if a mail server is configured to send NDRs, a spammer could turn this functionality into a denial-of-service NDR flood against other organizations' mail servers.

More information:

  • Find out if email header information can be used to track down spoofers.
  • See how well the CAN-SPAM Act is stopping spam.

    • This was first published in February 2007