Some open relay tests

An "open relay" is a server that allows third-parties (non-customers) to send mail to other third-parties. In other words, an open relay mail server processes a mail message where neither the sender nor the recipient is a local user.

There are several techniques that spammers use to get other's mail servers to send their mail. (The spammer's goal is to be able to send to the outside -- not just to the local accounts.) The following are some of the techniques used to try to get a mail server to relay mail. (Some other techniques include abusing form-to-mail CGIs on webservers.)

Standard relay

mail from: <nobody@third-party.bar>
rcpt to: <nobody@third-party.bar>

?

mail from: <test@maps1.pa.vix.com>
rcpt to: <nobody@third-party.bar>

Sender's domain is localhost

mail from: <test@localhost>
rcpt to: <nobody@third-party.bar>

Sender address without domain (a local user)

mail from: <test>

Sender address is null (like from Mailer-Daemon)

mail from: <>
rcpt to: <nobody@third-party.bar>

Sender address uses local hostname

mail from: <test@your.local.foo>
rcpt to: <nobody@third-party.bar>

Sender address using literal domain address (of local host)

mail from: <test@[209.166.74.74]>
rcpt to: <nobody@third-party.bar>

Sender address uses local hostname and recipient uses percent hack

mail from: <test@your.local.foo>
rcpt to: <nobody%third-party.bar@your.local.foo>

Sender address uses local hostname and recipient uses percent hack with domain literal

mail from: <test@your.local.foo>
rcpt to: <nobody%third-party.bar@[209.166.74.74]>

Quoted

mail from: <test@your.local.foo>
rcpt to: <"nobody@third-party.bar">

Quoted string and percent hack

mail from: <test@your.local.foo>
rcpt to: <"nobody%third-party.bar">

Quoted string and percent hack and domain literal

"x@y"[IP]

arbitrary non-local, source-routed destinations

RCPT TO:<test@some.other.site@some.site> 

?

mail from: <test@[209.166.74.74]>
rcpt to: <nobody@third-party.bar@your.local.foo">

?

mail from: <test@your.local.foo>
rcpt to: <"nobody@third-party.bar"@[209.166.74.74]>

?

mail from: <test@your.local.foo>
rcpt to: <nobody@third-party.bar@[209.166.74.74]>

Sender uses domain literal and recipient uses source routing

mail from: <test@[209.166.74.74]>
rcpt to: <@your.local.foo:nobody@third-party.bar>

Sender uses local domain and recipient uses source routing with a domain literal

mail from: <test@your.local.foo>
rcpt to: <@[209.166.74.74]:nobody@third-party.bar>

Recipient address uses UUCP-like destination ("bang path")

mail from: <test@[209.166.74.74]>
rcpt to: <third-party.bar!nobody>

?

mail from: <test@your.local.foo>
rcpt to: <third-party.bar!nobody@[209.166.74.74]>

Sender is a known local user from local host; and some mail servers are configured to always allow mail from "postmaster"

mail from: <postmaster@your.local.foo>
rcpt to: <nobody@third-party.bar>

Definitions

domain literal: IP address within brackets; bypasses normal DNS lookups.

Last updated: Thu Apr 4 16:57:58 PST 2002