Mail Relay Problem


Many versions of the sendmail program and other mail transport agents (MTAs) do not provide sufficient safeguards against mailcious users sending spam mail through a third party computer. Further, the spam mail will often have a forged source address.


Until 1999, most implementations of sendmail and its clones provided little checking of source and destination addresses. For example a user on host A could use the sendmail on Host B sending mail to a user on Host C with a source email address from Host D. In other words, A hacker on would use the sendmail at to send a message 5,000 users with the source address of

Similar problems have been detected with Microsoft Mail and Microsoft Exchange products. However, older Microsoft products report a relay operation when none occurred (false positive).

Some MTA's may time out during SARA testing. In these cases, the MTA must be exercised manually to determine if it is a relay.


Vendor and Web server patches and workarounds to protect against this vulnerability are available. If your vendor does not have an upgrade, current versions of sendmail from In addition, has an execellent tutorial on the subject.