COMMAND

    NTMail

SYSTEMS AFFECTED

    NTMail3

PROBLEM

    Geo found following.  NTMail  version 3 has an open  relay exploit
    that allows anyone to send mail  thru the server even if it's  not
    local.   So,  NTmail3  appears  to  have  a small hole that allows
    anyone to use an NTmail3 server as a relay mail server.  Basically
    here is how it works.   NTmail3 is set to not allow  relay (either
    the TO or  FROM address must  be local) JUCE  (a $500 antispamming
    add-on from the makers of  NTmail) has been installed and  used to
    lock the server down from the spammers.

        I:>open mail.someisp.net 25

        220-Unauthorized Use Prohibited
        220 mail.someisp.net WindowsNT SMTP Server v3.03.0017/1.aihl/SP ESMTP ready at
        Sun, 6 Jun 1999 10:39:30 -0400

        helo

        250 mail.someisp.net [192.168.0.0]

        mail from:<>

        250 Ok.

        rcpt to:poorsucker@aol.com

        250 Ok.

        data

        354 Start mail input, end with <CRLF>.<CRLF>.

        buy my crap
        sincerely,
        some lame spammer
        .
        250 Requested mail action Ok.

    So the stupid program appears to think that <> is a local address.
    Not only that but if you  use JUCE (the anti spam addon)  and have
    it set to stop things with max messages (too many messages and the
    account gets shut down)  it will give the  postmaster notification
    when an account hits the max message limit, well <> doesn't  cause
    any notification  at all.   In fact  it appears  to be  a sort  of
    special case and  may actually get  around some of  the other anti
    spamming features built into NTmail3.

    Note that the <> mentioned here is the empty envelope sender which
    is required for  bounces. Allowing it  thru is still  kinda stupid
    tho.  A spammer exploiting  this doesn't have to care  about where
    his bounces go either....

SOLUTION

    Gordano LTD (the author of  NTmail) doesn't appear to care,  their
    response was "we  don't support V3  unless you pay",  like one was
    asking a question or something... Solution is to upgrade to NTmail
    4, which costs oh..  about 4x what you paid for version 3 and  has
    problems too.

    However, test on a more recent version of NTMail 3.03.0006  didn't
    allow the relay. There is basic juce functionality in that version.