Open relays are insecure mail servers that allow third-party domains to use them without authorization. They are abused by spammers and phishers and they present a serious risk to organizations because public spam blacklists may add them and affect the entire organization, which depends on e-mails reaching its destination.
This recipe shows how to detect open relays by using Nmap.
Open your terminal and enter the following command:
$ nmap -sV --script smtp-open-relay -v <target>
The output returns the number of tests that passed, and the command combination used:
Host script results: | smtp-open-relay: Server is an open relay (1/16 tests) |_MAIL FROM:<[email protected]> -> RCPT TO:<[email protected]>
The script smtp-open-relay
was submitted by Arturo 'Buanzo' Busleiman, and it attempts 16 different tests to determine if an SMTP server allows open relaying. If verbose mode is on, it also returns the commands that successfully relayed e-mails.
The command combination is hardcoded in the script and the tests consist of different string formats for the destination and source address:
MAIL FROM:<[email protected]> 250 Address Ok. RCPT TO:<[email protected]> 250 [email protected] OK
If a 503 response is received, the script exits, because this means that this server is protected by authentication and is not an open relay.
The script smtp-open-relay
executes if ports 25, 465, and 587 are open, or if the services smtp
, smtps
, or submission
are found in the target host (-sV --script smtp-open-relay
).
You can specify an alternate IP address or domain name by specifying the script arguments smtp-open-relay.ip
and smtp-open-relay.domain
:
$ nmap -sV --script smtp-open-relay -v --script-args smtp-open-relay.ip=<ip> <target> $ nmap -sV --script smtp-open-relay -v --script-args smtp-open-relay.domain=<domain> <target>
Specify the source and destination e-mail address used in the tests by specifying the script arguments smtp-open-relay.to
and smtp-open-relay.from
, respectively:
$ nmap -sV --script smtp-open-relay -v --script-args smtp-open-relay.to=<Destination email address>,smtp-open-relay.from=<Source email address> <target>
3.15.147.215