This note describes the facilities available to managers of e-mail services for checking that e-mail systems at JANET connected organisations are secure against unauthorised relaying.
The JANET mail relay team operate the Spam-relay Tester And Notification system, which will attempt to connect to your mailer and relay a series of individual messages through it just as the bulk mailers do in preparation for a spam run. It then mails you a report on any vulnerabilities it found.
The tests involve SMTP sessions in which certain sequences of commands are sent to your system and various forms of address are used in attempted message transfers. They include some sequences and addresses which do not conform to the relevant standards (principally RFC 2821 and RFC 2822). It is possible in principle that the tests might cause your mail system to malfunction, although the danger is no greater than that to which you are exposed merely by connection to JANET or the Internet.
To request the series of tests, send a message to relaytest@ja.net with
Subject: relay test
and with a single line in the message body
test <mailer-address>
in which <mailer-address> is the IP address of the JANET mailer you want tested.
The IP address should be in the usual "dotted-quad" form - something like 10.1.1.2.
You can request tests on several systems in a single message either by writing more than one address on the line:
test <mailer1-address> <mailer2-address> . . .
or by writing separate lines:
test <mailer1-address>
test <mailer2-address>
. . .
If you wish to make regular tests of your mail systems accessible from JANET, please book them by arrangement with the mail relay team at relaytest-admin@ja.net. The test request mechanism is just the same, and you will need to set up some manual or automatic process to send the usual mail messages at the intervals agreed; but the advance scheduling enables operational staff to manage the limited machine resources available. The expected form of scheduling is on an annual cycle with requirements such as
"the third Thursday of each February, May, August and November".
You are most likely to use the tester:
The address relaytest@ja.net delivers your message to an automatic testing and reporting process. The tester will immediately return a message saying whether or not the test request is authorised.
Test results and reports are sent to the address from which the request came, to postmaster at the host address being tested and to postmaster at the JANET organization concerned. The result messages will indicate the address from which the test request was received.
If the tests are not complete in a few hours you will also get a progress report.
The elapsed time varies between 20 minutes and two days (or three days over a weekend), depending on the way your mailer reacts. Timing out after a long delay is one way in which it can pass some of the tests!
There are a few common circumstances in which testing may take a long time:
Once a test is queued it attempts to make a connection to the relay being tested. If this fails it will try again later. The test will run for up to two days before timing out.
If a host under test returns a 4XX SMTP error code (temporary retryable failures) the test message is requeued. The relay team may have to abort any outstanding tests without notice if the relay tester is busy and particular tests stay in this state for more than 12 hours.
4XX codes are not normally appropriate for relaying refusals except during testing, as they cause the remote machine to hold on to the mail and try again later.
The test sequence will end when one of the following criteria is met:
The JANET mail relay team will start tests at once on any JANET system which is reported to them (usually from outside JANET) as having relayed spam. If possible they will notify the administrator of the system in the usual way as the test starts.
If the tests discover no vulnerability to relaying, the relay team will respond to the report by asking for further information. If the tests do indicate some vulnerability then the relay team will contact the administrator of the system concerned and will advise on correcting and re-testing it.
It is possible for anyone to ask for a test on any JANET system, and in general such requests will be honoured. However, you are encouraged not to test other people's mailers but instead to contact the postmaster or mail administrator concerned and invite them to send their own request.
If it is hard to reach such a person, contact JANET Service Desk instead. If the relaying or other behaviour of another site's mailer seems to you to be an immediate threat to the use of mail in all or part of JANET, the proper contact is JANET-CERT
From time to time JANET(UK) may consider it necessary to test some large collection of JANET mail systems, in which case a general warning will be given in advance. A separate document describes the current programme of tests (if any).
The separate page JANET site e-mail requirements includes some background on e-mail, and explains terms used here.
WebAdmin
Copyright The JNT Association. All rights reserved.
