How does a mail server respond to fake email addresses?

In this SearchSecurity.com Q&A, Ed Skoudis reviews the actions of a mail server when it is presented with a bogus email address.

Ed Skoudis

Counter Hack

During a security assessment, I found that I could connect to the SMTP gateway using Telnet. I tried sending mail from a fake domain, but it was detected as a mail relay and stopped. When I sent messages to fake employees inside the organization's domain, however, the mails were accepted. Can this be termed as a mail relay vulnerability? Can this be exploited for purposes other than social engineering? Most importantly, what is the best possible resolution?

What you describe is actually a very common situation and is not a cause for alarm. You can Telnet to most mail servers on TCP port 25 and send messages to the organization that uses the particular server. But, you should not be able to send email to other organizations. If you could, a spammer would find that mail server and use it to relay spam.

So, what actions should the mail server take if the destination email address is fake? Obviously, if the email...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

address is valid, the mail server should deliver the message (perhaps after applying another layer of antispam detection). But, if the email is destined for a "fake employee," some mail servers will respond with a non-deliverable report (NDR) message. That way, if there was a real sender of the email, he or she could be informed that the message was rejected.

Other mail servers do not respond with an NDR message, and instead simply accept the email to the bogus address and silently discard it. The reason that some mail servers eschew NDRs (as the one you describe in your question does) is because their owners do not want a spammer to be able to try thousands of usernames and harvest valid ones. With NDRs, the attackers can differentiate valid from invalid addresses because the invalid ones will trigger an NDR, while the valid ones won't.

Whether or not to send NDRs is a point of some controversy. While they can offer a desirable business function (allowing legitimate senders to know that their messages weren't received), they also can help spammers. If a spammer spoofs a source email address, the NDRs will be directed to the victim's organization and domain. Thus, if a mail server is configured to send NDRs, a spammer could turn this functionality into a denial-of-service NDR flood against other organizations' mail servers.

More information:

Find out if email header information can be used to track down spoofers.

See how well the CAN-SPAM Act is stopping spam.

This was last published in February 2007

Dig Deeper on Email and Messaging Threats-Information Security Threats

All
News
Get Started
Evaluate
Manage
Problem Solve

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

Meet all of our Information Security experts

View all Information Security questions and answers

Related Resources

Dig Deeper on Email and Messaging Threats-Information Security Threats

Related Q&A from Ed Skoudis

Have a question for an expert?

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.