Blocking Open Relays
Table of Contents
An increasing number of spammers are exploiting open e-mail relays to
send spam and disguise the true source of their messages. Open relays
are e-mail servers that are configured to accept and transfer e-mail on
behalf of any user anywhere, including unrelated third parties. If your
computer acts as an open relay, it allows any e-mail sender anywhere to
How spammers detect open relays
Spammers use automated software to scan the Internet trying to find
open relays. If they find out that your server is open, they will probably
send spam through it. The software they are using scans a range of Internet
IP addresses by trying to establish a network connection on port 25. If
the connection succeeds, an IP address is listed and used for sending.
There are at least two advantages for the spammers:
- This technique lets
spammers hide their identities because it appears that the spam actually
comes from you. This makes extremely hard to track them down.
- It is virtually impossible
to get caught by their ISP. All ISPs deny sending spam from their networks.
If the spammers cannot be tracked down, they cannot be reported to their
ISP which would broke down their account anyway, because of violating
the Acceptable User Policy.
Recipients of the spam sent from your computer could flood your server
with complaints. The spam and resulting e-mail traffic could overwhelm
your system. If you are maintaining an open relay, you are leaving your
door open to the theft of your computer services.
How ISPs reject messages from open relays
When you send messages from an SMTP server running on your computer,
some ISPs perform a relay check. They identify your computer's IP address
and try to establish a connection to port number 25 which is the port
used to send e-mail. If the server on your computer accepts the connection
- your message is rejected.
PostCast Server has a feature that allows you to check if your computer
runs as an open relay. Open the Setup Wizard from the Tools menu and press
the "Open Relay" button in the Network Diagnostics step:
Accept only connections from local computer or LAN
When you enter your Internet IP address in the Host
Name text box in the Settings screen, everyone can connect to the
server from the
Internet. You can run the server using the Internet IP address, but
you need to either change the port number or allow access only to certain
If you do not need to accept connections from the Internet, select the
LAN IP address or
127.0.0.1 in the Host Name drop down list in the Settings screen:
Change the port number
Change the number of the port from
25 to some random number (1-65535). Instruct the users to change the settings
in their e-mail programs. This will trick the IP scanner software because
your port 25 will be closed and your computer will not respond to their
queries. Make sure that no other SMTP server software is running on your
system, including "Simple Mail Transport Protocol (SMTP)" service
if you are running Windows NT, 2000, XP, or 2003:
Restrict access to a list of IP addresses
The basic way to implement e-mail relay protection is to configure your
e-mail server to allow only certain TCP/IP addresses and address ranges
to relay through your server. With this technique, your e-mail server
will reject any relay attempt from TCP/IP addresses outside of your network.
If, for example, computers on your network have IP addresses that begin
with 192.168.0, go to Tools>Settings>Security and enter that as
a value in the "Allow access ONLY for users with these IP addresses"
- Internet Black and White Lists
- Blocking Open Relays