Open Mail Relay Abuse
Early mail servers forwarded email for anyone; spammers and attackers exploited this for anonymous mass mailing until blacklists forced servers to close relays.
Timeline: The Cat and Mouse
1982 â Attack emerges â 1997 â Industry responds â 2004 â Attackers adapt â Dead
The Evolution
| Phase | Period | What Happened |
|---|---|---|
| DESIGN | 1982 | SMTP designed for trusted network; open relaying is default behavior |
| ATTACK | 1994 | Spammers discover open relays; anonymous mass mailing begins |
| Â | 1996 | Open relay abuse reaches epidemic proportions |
| RESPONSE | 1997 | MAPS RBL created - first major DNS blacklist |
| Â | 2000 | Sendmail, Postfix ship with relaying disabled by default |
| Â | 2004 | ISPs block residential port 25 |
| DEAD | 2005+ | Open relays nearly extinct; instantly blacklisted when found |
Key Events with Sources
| Date | Event | Significance | Source |
|---|---|---|---|
| 1982 | SMTP standardized | RFC 821 assumes cooperative network; no access controls | RFC 821 |
| 1994 | Spam explosion begins | Canter & Siegel âGreen Cardâ spam; commercial spam emerges | Wikipedia |
| 1997 | MAPS RBL launched | First DNS-based blacklist; Paul Vixie | MAPS History |
| 1998 | RFC 2505 published | Anti-spam recommendations for MTAs | RFC 2505 |
| 2000 | Default configs change | Major MTAs ship relay-closed by default | Sendmail |
| 2004 | ISP port 25 blocking | Residential ISPs block direct SMTP | MAAWG |
Overview
In SMTPâs original design, any mail server would forward (relay) messages for any sender to any recipient. This was intentionalâemail was a cooperative system on a trusted network. Spammers discovered they could use any server on the internet to send their mail, making it nearly impossible to trace or block.
The Attack
How SMTP Relaying Worked
Original SMTP servers accepted mail from anyone and forwarded it anywhere:
Spammer â Random Server (open relay) â Victim
â
"Sure, I'll forward that for you!"
The relay server would appear as the sender, not the spammerâs actual infrastructure.
Why Attackers Loved Open Relays
Anonymity:
- Spam appeared to come from the relay, not the attacker
- Difficult to trace back to origin
- Complaints went to innocent relay operators
Free Infrastructure:
- No need to maintain mail servers
- Unlimited sending capacity
- Someone else paid for bandwidth
Distributed Sending:
- Use thousands of relays simultaneously
- No single point of failure
- Bypass primitive IP-based blocking
The Scale of Abuse
By the mid-1990s:
- Majority of spam sent through open relays
- Some servers relayed millions of messages per day
- University and corporate servers were prime targets
- Relay operators faced abuse complaints and blacklisting
Attack Pattern
1. Scan internet for SMTP servers (port 25)
2. Test each server:
HELO test.com
MAIL FROM: <spammer@fake.com>
RCPT TO: <victim@target.com>
If server accepts: it's an open relay
3. Queue millions of messages through relay
4. Move to next relay when current one gets blacklisted
How Defenses Emerged
MAPS RBL (1997)
The Mail Abuse Prevention System Realtime Blackhole List was revolutionary:
- Maintained list of known spam sources and open relays
- Distributed via DNS queries
- Mail servers could check sender IP in real-time
- Listed IPs had mail rejected globally
Impact: Suddenly, being an open relay meant your server couldnât send mail to major destinations.
The Closing of the Relays
Administrators faced a choice:
- Close the relay and keep working email
- Stay open and get blacklisted
Most chose to close. Configuration guides changed:
Sendmail (before):
# Relay for anyone
R$* $#smtp $@ $1
Sendmail (after):
# Only relay for local users
FEATURE(`access_db')
Default Configurations Changed
By 2000, major mail servers shipped with relaying disabled:
- Sendmail required explicit relay permissions
- Postfix default:
mynetworks = 127.0.0.0/8 - Microsoft Exchange: relay restrictions enabled
ISP Port 25 Blocking
Residential ISPs began blocking outbound port 25:
- Prevented home computers from sending directly
- Forced users through ISP mail servers
- ISP servers had accountability and spam filtering
Attacker Adaptation
With open relays dying, spammers pivoted:
Botnets
Compromise thousands of home computers, each sends small amounts:
- Distributed across many IPs
- Residential IPs, not obviously âspammyâ
- No single relay to blacklist
Compromised Accounts
Steal credentials for legitimate email services:
- Send through Gmail, Outlook, etc.
- Inherit the providerâs reputation
- Harder to block without blocking provider
Bulletproof Hosting
Set up infrastructure in jurisdictions that ignore abuse:
- Dedicated spam servers
- Accept being blacklisted in some regions
- Rotate IPs constantly
Current State
Status: Dead
True open relays are nearly extinct:
- Instantly detected and blacklisted
- Configuration tools prevent accidental open relays
- No legitimate reason to run one
Misconfigured servers occasionally appear but are short-lived.
Detection Guidance
Testing Your Own Servers
Check if your server is an open relay:
telnet mail.yourdomain.com 25
HELO test
MAIL FROM: <test@external.com>
RCPT TO: <test@other-external.com>
If it accepts the RCPT TO for external-to-external routing, you have a problem.
Online Tools
- MXToolbox Open Relay Test
- mail-tester.com
- multirbl.valli.org
Historical Significance
Open relay abuse drove the development of:
- DNS-based blacklists (RBLs/DNSBLs)
- SMTP authentication requirements
- Modern email reputation systems
- The entire anti-spam industry
The cat-and-mouse of spam and anti-spam began here.
What Killed It (or Weakened It)
| Defense | Introduced | Impact |
|---|---|---|
| MAPS RBL (Realtime Blackhole List) | 1997 | First major DNS-based blacklist; mail from listed IPs rejected |
| Closed Relay Default Configs | 2000 | Sendmail, Postfix ship with relaying disabled by default |
| ISP Port 25 Blocking | 2004 | Residential ISPs block outbound port 25; forces use of ISP mail servers |