Mail Relay Problem
Impact
Many versions of the sendmail program and other mail transport
agents (MTAs) do not provide sufficient
safeguards against mailcious users sending spam mail through a third
party computer. Further, the spam mail will often have a forged source
address.
Background
Until 1999, most implementations of sendmail and its clones provided
little checking of source and destination addresses. For example a user on
host A could use the sendmail on Host B sending mail to a user on Host C
with a source email address from Host D. In other words, A hacker on
foo.bar.com would use the sendmail at host1.swipnet.se to send a message
5,000 users with the source address of president@whitehouse.gov.
Similar problems have been detected with Microsoft Mail and Microsoft
Exchange products. However, older Microsoft products report a relay
operation when none occurred (false positive).
Some MTA's may time out during SARA testing. In these cases, the MTA
must be exercised manually to determine if it is a relay.
Resolution
Vendor and Web server patches and workarounds to protect against this
vulnerability are available. If your vendor does not have an upgrade,
current versions of sendmail from sendmail.org.
In addition, sendmail.org has an
execellent tutorial on the subject.