Using ORF to Pass MAPS Open Relay Test

Open relay servers

Badly configured email servers will forward emails not only to their organisation but to anyone—this behaviour is called "open relay". Spammers tend to use these servers to hide their origin to make their identication harder. There are a number of sites that check your server for open relays.

You can access a test at http://www.abuse.net/relay.html. There is a MS KB article about testing your server with Telnet: http://support.microsoft.com/?kbid=324958

Some of the tests include "tricky" smtp addresses like relaytest%[email protected] to make the server relay the email. Exchange will not deliver these mails but seem to accept them thus some of the automated test engines might list the site as "open relay". I have to note that this behaviour is in compliance with the RFCs.

Securing Exchange

ORF can be used to prevent accepting mails addressed to these addresses. Using the regular expression support introduced in version 1.2, you are able to block addresses like these (abuse.net uses these in the RCPT TO: smtp command to send email to):

• relaytest%[email protected]
• relaytest%abuse.net@[dotted.ip.adress]
• "[email protected]"
• "relaytest%abuse.net"
• [email protected]@domain.com
• "[email protected]"@domain.com
• [email protected]@[dotted.ip.adress]
• @domain.com:[email protected]
• @[dotted.ip.adress]:[email protected]
• abuse.net!relaytest
• [email protected]
• abuse.net!relaytest@[dotted.ip.adress]

Add the following regular expressions to the Recipient Blacklist of ORF:

Summary

Exchange 2000 does not allow relaying messages by default and it is RFC compliant. It does seem to accept messages for relaying, however. ORF can be used to change this behaviour and to refuse accepting these messages. After applying these modifications Exchange is able to pass the MAPS open relay test and, in all likelyhood, defeat actual attempts by spammers as well.

Thanks for Matthew J. Allison (Senior IT Architext, Experian) for the original idea.