Why is my server being used as a relay when relay is disabled?

  1. Home
  2. Knowledge Base
  3. GMS
  4. Why is my server being used as a relay when relay is disabled?

Question

I have all the relay options set as per Gordano’s instructions, however my server appears to be being used as a relay. What might be the cause of this?

Answer

Junk emailers are attempting to exploit accounts on mail servers which have insecure passwords, using the ESMTP AUTH options.

Many mail servers have accounts such as:

  • Postmaster
  • Administrator
  • Webmaster
  • Test
  • Backup
  • Root

With insecure passwords, set to either "password" or otherwise with a password set the same as the username. If a Spammer manages to guess an account using a brute force attack such as this, they will proceed to relay through a server.

To check if you are being exploited, check your SMTP log for instances of the log entry:

AUTH username@domain.dom (0)

If there are entries such as this for an account that should not be in use, then this is likely the account being exploited. You can enable full logging for SMTP and you will then see the full AUTH transaction, which will look like this.

AUTH LOGIN
334 VXNlcm5hbWU6
YWRtaW5pc3RyYXRvcg==
334 UGFzc3dvcmQ6
cGFzc3dvcmQ=
AUTH  administrator@domain.dom (0)
2.3.5 Authentication successful

These strings are Base64 encoded. If you decode these, you will see the username and password being used to authenticate. So this log extract decodes as follows:

AUTH LOGIN
334 Username:
Administrator
334 Password:
administrator
AUTH  administrator@domain.dom (0)
2.3.5 Authentication successful

In this case, securing the password on the Administrator account will resolve this.

Gordano advises that secure password policies are implemented, using the options in the Security->Passwords page in the Administration interface.

Keywords:Relay, AUTH

Was this article helpful?

Related Articles