The Mail Abuse Prevention System (MAPS) recently added our company to its quarantine list because our Exchange server wasn't secure from open relay. In other words, anyone with enough computer savvy could use our mail server to route their mail, without our knowledge or consent. Senders of unsolicited commercial email (UCE) and Denial of Service (DoS) attacks use open relays for their misdeeds.
We became aware of this security problem when some of our employees (who used the same ISP for their home accounts) were unable to send email to their home addresses. All received the same error message:
Your message did not reach some or all of the intended recipients.
Subject: test Sent: 11/7/00 11:25 AM
The following recipient(s) could not be reached:
We contacted the ISP, which verified that our mail server was on the quarantine list. We were then directed to MAPS at http://www.mailabuse.org to rectify the problem. The site provides links to resources based on the mail platform you're using. We used the suggestions in Joseph Neubauer, "Is Your Exchange Server Relay-Secure?" January 2000, on the Exchange Administrator Web site (http://www.exchangeadmin.com—also at http://www.microsoft.com/technet/exchange/relay.asp) to perform the necessary changes (e.g., routing-option and routing-restrictions modifications) to our Exchange server. The last step was to notify MAPS's Relay Spam Stopper (RSS) service that we had made the required changes to our system and that we would like to be removed from the list. RSS retested the relaying capabilities of our server. Because our server was compliant, the company removed our name from the quarantine list.
The documentation for this fix has been available since Neubauer's article was published. However, industry research shows that 60 percent to 70 percent of mail servers aren't configured to properly block open relays. With so many noncompliant mailservers, I felt that our experience might help Exchange Administrator readers. More and more ISPs are using services such as MAPS to determine who can and can't access their mail servers.