[1] [INLINE] [2] ORBS [3] - [4] - Test envelopes [5] [INLINE] "The security of a mailserver is only as good as the security of hosts which are trusted to use it." If you are looking for numbered tests, you're on the wrong site. ORBS describes vulnerabilities and doesn't number them. Try [6] http://www.abuse.net/relay.html This is the list of checks ORBS performs. Please compare it with the tests performed by your favourite online tester... ORBS only counts a host as open if it actually delivers the test messages. Bounces are ignored for databasing purposes. Most of the online testers which perform multiple tests stop as soon as one envelope is accepted, so may give misleading results if they don't actually check for delivery and continue the test sequence if the message isn't delivered. As far as relay tests go, the only thing which really counts is the message envelope. (The MAIL FROM: and RCPT TO: smtp chat items). Usually these are discarded by the time a message is actually delivered, so ORBS test messages duplicate these in the message body and headers to speed up fault diagnosis. Many MTAs will strip these if described as MAIL FROM and RCPT TO, so they are renamed to prevent this from happening: [7] [INLINE] "X-Envelope-Sender: <>" is the MAIL FROM:<> and "X-Envelope-Recipient: <>" is the RCPT TO:<> The current set of vulnerablities ORBS checks for is as follows: [8] [INLINE] MAIL FROM: RCPT TO: this is the classic "wide open relay" [9] [INLINE] MAIL FROM: RCPT TO:<"victim@target"> with the "" in there. Sendmail 8.8-specific (although Lotus Notes and other MTAs may exhibit this fault if incorrectly secured). Patch has been available since August 1998 - see the sendmail section of [10] the ORBS fixup page Heavily exploited by spammers. [11] [INLINE] MAIL FROM: RCPT TO: victim@target no <>, this test is non-RFC821 compliant. Typical failures are MS Exchange and SLmail betas [12] [INLINE] MAIL FROM: - no domain, vulnerable machines usually add their local domain RCPT TO: Typical machines which fail this are Post.Office and Intermail, or improperly setup sendmail 8.8 [13] [INLINE] MAIL FROM: RCPT TO: {relay} is tested as [IP.address] IP.address and reverse.DNS.name. Heavily exploited by spammers and mailbombers. Most Lotus Notes/Domino installations fail this. Recently fixed - see [14] /otherresources.html Most Novell Groupwise installations fail this no matter what antirelay settings are used. MX (a VMS MTA) will fail this unless the latest version is used. Many badly secured sendmail installations fail this test. Some cc:mail installations will mailbomb themselves to death with looping mail when this test is carried out. However these are usually the same ones which mailbomb themselves to death with looping mail whenever they receive mail addressed to postmaster@open.relay. [15] [INLINE] MAIL FROM: RCPT TO: Variation on the % address routing vulnerability above. not commonly used by spammers (yet). [16] [INLINE] MAIL FROM: RCPT TO: Mixed UUCP and Internet addressing. Typical failures are Sendmail installations with FEATURE(nouucp) set. [17] [INLINE] MAIL FROM: RCPT TO:<@{relay}:victim@target> Another pathing vulnerability attack. Heavily exploited by mailbombers, usually as a multihop attack - RCPT TO:<@{relay1},@{relay2},@{relay3}:victim@target> - however also being used increasingly by spammers. ORBS does not test the multihop variation. [18] [INLINE] MAIL FROM: RCPT TO: This is old style UUCP pathing and more commonly used by mailbombers than spammers [19] [INLINE] MAIL FROM: RCPT TO: [20] [INLINE] MAIL FROM:<> - "NULL sender." RCPT TO: This envelope must NOT be filtered from local delivery, as it's used for bounce messages, however it must not be allowed to relay. [21] [INLINE] MAIL FROM: RCPT TO: This is the only check most of the online testers actually perform. (This attack used to be the second most common form of spam relaying seen, but is currently rare.) [22] [INLINE] Because ORBS has to test each suspected relay by both Reverse-DNS name and literal IP address, the number of tests is significantly higher than the number shown here.. [23] [INLINE] a literal IP address enclosed in [] (MAIL FROM: is RFC821-compliant, despite Microsoft Exchange's claims to the contrary, however because this and Post.Office often relay for non [] enclosed IP addresses, MAIL FROM: is used too. RFC 821 also specifies that there is no space after the ":" and that sender/recipient envelopes be wrapped in <> - the envelopes listed above are the exact format used in smtp chat. Some MTAs are forgiving of non-compliant envelopes, however for testing purposes, please ensure your checks are syntactically correct. ALL of these envelopes have been used at some point for spam delivery. There are probably more as-yet undiscovered relaying holes in various pieces of software. ORBS adds more tests as the vulnerabilities are discovered and exploited by spammers. All newly discovered relays are notified at their postmaster@ address (by ReverseDNS name and at the literal IP), however about 35% of all open relays either have no postmaster address, no reverse DNS or will not accept mail addressed to literal IP. The ORBS automated tester walks through the test sequence on each IP address slowly. There is a 2 minute gap between each test and as soon as one test fails (where failure is delivery of the test message, not just accepting it), the test sequence is abandoned. The 2 minute gap keeps bandwidth usage down to minimum levels and allows enough time for most open relays to pass the message back to ORBS before the next test is started. If all tests are passed, ORBS waits several days, then rechecks to ensure the host is secure. Once confirmed as a secured host, the entry is added to the "OK" database and cannot be retested within 5 months without manual intervention unless it delivers mail to a registered ORBS spamtrap. [24] [INLINE] There is no such thing as a perfectly secure computer, unless it is switched off, melted down, encased in concrete, then tossed into a deep ocean trench. Even then, someone may work out how to manipulate gravity waves to get at it. Never assume any security measure covers all future possibilities, as this will result in great embarrassment at some point in the future. Anyone who offers a 100% security guarantee is either a fraud or a fool. [25] [INLINE] [26] Back to ORBS Home _________________________________________________________________ [27] [INLINE] Database problems: Most problems currently seen are transient. Try reloading the page if you get an error. Please advise if you get repeated error messages while accessing the website. [28] [INLINE] Database disclosure: ORBS publically discloses all details on IP addresses which have been detected as open once the data is over 30 days old. This is done because machines which are not secured within one month of discovery are unlikely to ever be secured unless publicised. [29] [INLINE] Contact: orbs@orbs.org - but read the website first.. Note - any E-mail message sent to any ORBS.org contact address or to any of our network service providers may be posted in whole or in part to various anti-spam forums, depending on the abusiveness or humour value of the message. ANY message that mentions the words "lawyer" or related terms in particular will very likely be posted. References 0. http://www.orbs.org/envelopes.html 1. http://www.orbs.org/images/spacer.gif 2. http://www.orbs.org/images/orbs.gif 3. http://www.orbs.org/images/spacer.gif 4. http://www.orbs.org/images/spacer.gif 5. http://www.orbs.org/images/spacer.gif 6. http://www.abuse.net/relay.html 7. http://www.orbs.org/images/spacer.gif 8. http://www.orbs.org/images/spacer.gif 9. http://www.orbs.org/images/spacer.gif 10. http://www.orbs.org/otherresources.html 11. http://www.orbs.org/images/spacer.gif 12. http://www.orbs.org/images/spacer.gif 13. http://www.orbs.org/images/spacer.gif 14. http://www.orbs.org/otherresources.html 15. http://www.orbs.org/images/spacer.gif 16. http://www.orbs.org/images/spacer.gif 17. http://www.orbs.org/images/spacer.gif 18. http://www.orbs.org/images/spacer.gif 19. http://www.orbs.org/images/spacer.gif 20. http://www.orbs.org/images/spacer.gif 21. http://www.orbs.org/images/spacer.gif 22. http://www.orbs.org/images/spacer.gif 23. http://www.orbs.org/images/spacer.gif 24. http://www.orbs.org/images/spacer.gif 25. http://www.orbs.org/images/spacer.gif 26. http://www.orbs.org/index.html 27. http://www.orbs.org/images/spacer.gif 28. http://www.orbs.org/images/spacer.gif 29. http://www.orbs.org/images/spacer.gif