This note outlines for the managers of JANET e-mail systems what action they should take if they find that any of their mailers are relaying messages without authorisation.
Internal means two different things, each of which is important when describing the action of a mail system.
An internal mail address
is an e-mail address in a domain which the mail system is intended to support.
Your mailer will be close to the point at which mail is delivered to such addresses; it will recognise who the messages are for and will relay them as necessary to complete delivery.
An internal IP address
is one in the networks under your management.
When users of your service send messages, the mailer will be close to the origin of the messages; it will recognise where they come from and will relay these too to to the rest of the Internet as necessary.
In general the relaying behaviour expected of a mailer is as follows.
Much of the above behaviour can be achieved by configuring your mail software. The details vary considerably between products and you should consult the product documentation or present your requirements very carefully to any contractors managing your mailers.
MAPS has for a long time maintained a collection of information on specific products, formerly known as TSI (the Transport Security Initiative).
It is unfortunate that in many cases the default behaviour (the way the software works as delivered or following a standard installation, upgrade or patch) is to openly relay, so you should check after making any changes.
The JANET relay tester service may be helpful at that stage.
JANET(UK) recommends that you configure your JANET access router to block connections from JANET (and the rest of the Internet) to TCP port 25 (SMTP) of almost all IP addresses in your network. The addresses of a small number of mailers which are carefully managed and are not a relaying risk can then be released from the block; for a small organisation this may be a single IP address.
The commands needed in the router configuration to achieve this blocking vary among manufacturers; the O'Reilly book Building Internet Firewalls sets out the techniques in a vendor-independent manner and should enable anyone familiar with your router to implement the filtering you need.
This router blocking gives your organisation some protection against inadvertent relaying when a system is installed or upgraded by non-specialists, possibly in some remote department. It is still wise to disable or correctly configure any mail programs on all systems if you can.
You may also consider preventing outgoing connections to port 25 of addresses outside your own network for all except managed mailers. This will, however, inconvenience your own end users if your security policy otherwise allows them to use their own private Internet accounts from your network and to submit mail to their service provider's mailer. You may prefer to manage the small risk both of relaying by this route and of your users submitting spam by maintaining, publicizing and actively enforcing clear Conditions of Use for your facilities.
If your mailer has been an open relay for some time, and particularly if it has been used by spammers, it may well be on one or more blacklists.
The blacklists are a very important co-operative activity of the anti-spam community. Certain organisations or individuals maintain lists of IP addresses or address ranges and make them available in ways which enable users of the lists to reject attempted mail transfers from those addresses. Once your mailer is working properly you should check with all the lists you know and request removal if necessary.
The lists have a variety of qualifications for inclusion and arrangements for removal.
If you try to have your mailer removed from any of the lists below but they say you are still open to relaying, it may be that the blacklist testers identify vulnerabilities of which the JANET tester is not yet aware. Please report your problem to relaytest-admin@ja.net.
WARNING: Some blacklist sites have a facility similar to the JANET one for testing your mailer, but if you fail any of their tests you may be added to the open relay list concerned. Check if your mailer is already there before running their tests. If it isn't, and Internet access from that system is important, you may decide that in the short term the risk from spammers is less than the risk from being blocked.
In the long term this is not a safe procedure and you should welcome any facility for identifying weaknesses. The JANET tester tracks new potential exploits as they become known.
The highly-regarded Mail Abuse Prevention System, now provided by Trend Micro, includes a number of lists with different features, together forming their RBL+ service. The ones directly relevant here are:
The Realtime Blackhole List (RBL) lists addresses associated with actual abuse whose managers have failed to take corrective action.
RSS
The Relay Spam Stopper (RSS) lists addresses of open relays through which spam has been distributed.
Information is accessible through the above Web page.
If your open relay was used for spamming, it will have made you unpopular with a wide range of people throughout the Internet.
Those who use MAPS or ORBS will mostly be satisfied when you have corrected the fault and had yourself removed from the public blacklist. Others will have silently placed you on private blacklists of which you will only become aware when mail to certain places is rejected.
Others again will send you more or less polite reports, complaints and requests that you correct the problem. These are innocent parties whom you have inconvenienced, and some of them may have tried to help you; so in most cases you should acknowledge their messages. The reply need not be long or detailed, and the same one will probably do for almost all reports; inserting suitable names and addresses in the following may be enough.
You reported receiving unwanted mail relayed through the Our College mail server 10.1.1.2 (mail.ourcollege.ac.uk).
That system had indeed been wrongly configured by mistake. We have now corrected its configuration and you should have no further mail by this route.
I am sorry you were troubled. Thank you for reporting the incident to Our College.
If another network has blacklisted you, it will of course be hard for you to send them this or any other message. You may be able to write from an account with some dialup or other service provider. Failing that, JANET(UK) may be able to forward the message; contact JANET Customer Service at Service@ja.net.
The separate page JANET site e-mail requirements includes some background on e-mail, and explains terms used here.
