Exploiting SMTP Open Relays – When Mail Servers Become Attack Vectors¶
Introduction¶
In penetration testing, some of the most overlooked yet dangerous vulnerabilities come from misconfigured mail servers. Specifically, an SMTP open relay allows unauthorized users to send emails as anyone—a perfect recipe for phishing, social engineering, and spoofing attacks. Let’s explore how attackers exploit this misconfiguration and how organizations can defend against it.
The Basics of SMTP Open Relays¶
SMTP (Simple Mail Transfer Protocol) is the standard protocol for sending emails. However, a mail server should only relay messages from authorized senders. An open relay is a misconfigured SMTP server that allows anyone to send emails, effectively letting attackers impersonate legitimate users.
[ Attacker ] --> [ Open SMTP Relay ] --> [ Victim Receives Spoofed Email ]
🔥 Why is this dangerous?¶
✅ Email Spoofing: Attackers can send emails that appear to come from trusted sources. ✅ Bypassing Spam Filters: Since the email originates from a legitimate domain, it may evade security measures. ✅ Phishing Attacks: Hackers can craft highly convincing fake emails. ✅ Spreading Malware & Ransomware: Victims may download malicious payloads.
Real-World Attack Scenario¶
💀 Target: A financial institution’s SMTP relay
During a penetration test, we discovered that the an organisation’s SMTP server allowed unauthenticated mail relays. Using this misconfiguration, we:
1️⃣ Spoofed emails from security@organisation.com and sent them to employees.
2️⃣ Created a phishing campaign that instructed users to reset their VPN credentials.
3️⃣ Harvested multiple valid credentials, leading to lateral movement within the network.
🚨 Impact: This attack could have been used for internal fraud, account takeovers, or ransomware deployment.
[ Attacker ] --> [ SMTP Open Relay ] --> [ Employee Receives Phishing Email ]
| |
| v
|-----> [ Employee Clicks Malicious Link ] --> [ Credentials Stolen ]
Exploiting an Open Relay¶
Once an SMTP open relay is found, testing it is straightforward using swaks:
swaks --to victim@target.com --from ceo@target.com --server mail.target.com
Another method is using telnet:
telnet mail.target.com 25
HELO attacker.com
MAIL FROM: ceo@target.com
RCPT TO: victim@target.com
DATA
Subject: Urgent Security Update
Please reset your password at http://fake-reset.com
.
QUIT
[ Attacker ] --> [ Open SMTP Relay ] --> [ Victim's Inbox ]
|
v
[ Email Appears to be from CEO ]
Defending Against SMTP Open Relays¶
🔒 Best Practices:
✔️ Restrict Relaying: Ensure that only authenticated users can send emails.
✔️ Implement SPF, DKIM, and DMARC: Prevent spoofed emails from passing security checks.
✔️ Monitor and Log SMTP Traffic: Look for unusual spikes in outgoing emails.
✔️ Test Your Mail Server: Use swaks or smtpdiag to check for unauthorized relays.
✔️ Block External SMTP Traffic on Firewalls: Unless necessary, prevent outbound traffic on port 25.
[ SMTP Server with Authentication ] --> [ Only Authorized Emails Allowed ]
|
v
[ Attacker's Spoofed Email Rejected ]
Conclusion¶
SMTP open relays are a silent but powerful attack vector that can lead to devastating phishing campaigns, credential theft, and fraud. Regular security audits, proper mail server configuration, and strict email policies can mitigate these risks.
🚀 Pentesters: Always test for open relays, as they can provide easy entry points. 🔐 Defenders: Secure your mail servers before an attacker finds them first.
💬 Have you ever encountered an SMTP open relay in the wild? Share your experiences below!