220.127.116.11 SMTP Relay
(Page 2 of 2)
What are the Security Implications?
Alas, theres a down side to SMTP relays, which we hinted at when discussing Email and spam earlier in this section, due to the way SMTP works. Users connect to SMTP servers for the purposes of sending email, and then simply start dumping message data into them, without authenticating themselves to the SMTP server. Connecting to your ISPs SMTP server is generally the same as connecting to another after all, everyone uses the same standard protocol to send mail. What, then is to stop a spammer from connecting to ANY ISPs SMTP server to send mail, as a way of helping obscure their identity? The answer is, very little, at least in the SMTP protocol itself.
Although SMTP servers didnt start out this way, most now provide the administrator with the capability to block connections from anyone except users who are connecting from addresses in the SMTP servers Internet domain, as a way of prohibiting anyone and everyone from using that SMTP server as a way to dump zillions of spam messages into the Internet. Others add a requirement that the users authenticate themselves when connecting to the SMTP server.
SMTP relays that do not perform this connection domain check and do not require authentication are referred to as open relays, and numerous administrators regard them as evil. Some administrators, on a perennial quest to rid their corner of the Internet of junk mail, maintain black hole lists of sites whose SMTP servers are open relays, and refuse to accept any email from those domains. This can be a minor nightmare for an administrator of one of the blocked domains who has a user who needs to send email to the other domain, and who has fixed the original open relay issue that landed them on the black hole list to begin with. Maintainers of these lists tend to be much more enthusiastic about adding sites to a black hole list, than they are about removing repaired sites from the list.
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.