WARNING: This site is intended for online use only; mass-downloading of pages degrades the server and is prohibited.
If you attempt to use tools to mass-download the site, you may be blocked permanently by automated software.
If you want to read this CertiGuide offline, please use one of the links on the left to purchase a convenient PDF copy. Thank you.

Like this CertiGuide? Get it in PDF format!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Also available: 300-question Security+ practice test!
Get It Here!

Custom Search






Table Of Contents  CertiGuide to Security+
 9  Chapter 2:  Communication Security (Domain 2.0; 20%)
      9  2.3  The Web
           9  2.3.4.2  ActiveX

Previous Topic/Section
2.3.4.6  CGI
Previous Page
Pages in Current Topic/Section
1
2
Next Page
 2.4  Directory
Next Topic/Section

2.3.4.7  SMTP Relay
(Page 2 of 2)

What are the Security Implications?



Alas, there’s a down side to SMTP relays, which we hinted at when discussing Email and spam earlier in this section, due to the way SMTP works. Users connect to SMTP servers for the purposes of sending email, and then simply start dumping message data into them, without authenticating themselves to the SMTP server. Connecting to your ISP’s SMTP server is generally the same as connecting to another – after all, everyone uses the same standard protocol to send mail. What, then is to stop a spammer from connecting to ANY ISP’s SMTP server to send mail, as a way of helping obscure their identity? The answer is, very little, at least in the SMTP protocol itself.

Although SMTP servers didn’t start out this way, most now provide the administrator with the capability to block connections from anyone except users who are connecting from addresses in the SMTP server’s Internet domain, as a way of prohibiting anyone and everyone from using that SMTP server as a way to dump zillions of spam messages into the Internet. Others add a requirement that the users authenticate themselves when connecting to the SMTP server.

SMTP relays that do not perform this connection domain check and do not require authentication are referred to as “open relays”, and numerous administrators regard them as evil. Some administrators, on a perennial quest to rid their corner of the Internet of junk mail, maintain “black hole lists” of sites whose SMTP servers are open relays, and refuse to accept any email from those domains. This can be a minor nightmare for an administrator of one of the blocked domains who has a user who needs to send email to the other domain, and who has fixed the original open relay issue that landed them on the “black hole list” to begin with. Maintainers of these lists tend to be much more enthusiastic about adding sites to a black hole list, than they are about removing repaired sites from the list.

Open SMTP Relays

SMTP relays that are unprotected, called Open Relays, can be used to send spam.


[spacer]Spammers and Open Relays

Open relays are so abused by spammers, and getting all those responsible for open relays to close them is so difficult, that some ISP’s have tackled the problem closer to the source -- by keeping their users away from any SMTP servers not controlled by the ISP. For instance, Earthlink does not allow users to connect using TCP port 25 (SMTP), to machines outside of the Earthlink network. If you are a telecommuter who needs to be able to contact your employer’s SMTP server from home, make sure that the ISP you select allows it.


Closing SMTP Relay Holes

Can you contact any of your organization’s email servers from outside your network without authentication? Find out by dialing in to your ISP (not your internal network), set your email client program’s SMTP server address to the IP address of your email server, and try to send some email. If it succeeds, you should investigate (ASAP) how to restrict your server to accepting connections only from hosts on its network.



Previous Topic/Section
2.3.4.6  CGI
Previous Page
Pages in Current Topic/Section
1
2
Next Page
 2.4  Directory
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $


Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.