Mail Relay Problem

Impact

Many versions of the sendmail program and other mail transport agents (MTAs) do not provide sufficient safeguards against mailcious users sending spam mail through a third party computer. Further, the spam mail will often have a forged source address.

Background

Until 1999, most implementations of sendmail and its clones provided little checking of source and destination addresses. For example a user on host A could use the sendmail on Host B sending mail to a user on Host C with a source email address from Host D. In other words, A hacker on foo.bar.com would use the sendmail at host1.swipnet.se to send a message 5,000 users with the source address of president@whitehouse.gov.

Similar problems have been detected with Microsoft Mail and Microsoft Exchange products. However, older Microsoft products report a relay operation when none occurred (false positive).

Some MTA's may time out during SARA testing. In these cases, the MTA must be exercised manually to determine if it is a relay.

Resolution

Vendor and Web server patches and workarounds to protect against this vulnerability are available. If your vendor does not have an upgrade, current versions of sendmail from sendmail.org. In addition, sendmail.org has an execellent tutorial on the subject.