Open your terminal and enter the following command:

$ nmap -sV --script smtp-open-relay -v <target>

The output returns the number of tests that passed, and the command combination used:

Host script results:
| smtp-open-relay: Server is an open relay (1/16 tests)
|_MAIL FROM:<[email protected]> -> RCPT TO:<[email protected]>

The script smtp-open-relay was submitted by Arturo 'Buanzo' Busleiman, and it attempts 16 different tests to determine if an SMTP server allows open relaying. If verbose mode is on, it also returns the commands that successfully relayed e-mails.

The command combination is hardcoded in the script and the tests consist of different string formats for the destination and source address:

MAIL FROM:<[email protected]>
250 Address Ok. 
RCPT TO:<[email protected]>
250 [email protected] OK 

If a 503 response is received, the script exits, because this means that this server is protected by authentication and is not an open relay.

The script smtp-open-relay executes if ports 25, 465, and 587 are open, or if the services smtp, smtps, or submission are found in the target host (-sV --script smtp-open-relay).

You can specify an alternate IP address or domain name by specifying the script arguments smtp-open-relay.ip and smtp-open-relay.domain:

$ nmap -sV --script smtp-open-relay -v --script-args smtp-open-relay.ip=<ip> <target>
$ nmap -sV --script smtp-open-relay -v --script-args smtp-open-relay.domain=<domain> <target>

Specify the source and destination e-mail address used in the tests by specifying the script arguments smtp-open-relay.to and smtp-open-relay.from, respectively:

$ nmap -sV --script smtp-open-relay -v --script-args smtp-open-relay.to=<Destination email address>,smtp-open-relay.from=<Source email address> <target>

$ nmap -p80 --script http-google-email -d4 <target>