NTmail3 appears to have a small hole that allows anyone to use an NTmail3 server as a relay mail server. Basically here is how it works. NTmail3 is set to not allow relay (either the TO or FROM address must be local) JUCE (a $500 antispamming add-on from the makers of NTmail) has been installed and used to lock the server down from the spammers.
I:>open mail.someisp.net 25
220-Unauthorized Use Prohibited
220 mail.someisp.net WindowsNT SMTP Server v3.03.0017/1.aihl/SP ESMTP ready at
Sun, 6 Jun 1999 10:39:30 -0400
helo
250 mail.someisp.net [192.168.0.0]
mail from:<>
250 Ok.
rcpt to:poorsucker@aol.com
250 Ok.
data
354 Start mail input, end with <CRLF>.<CRLF>.
buy my crap
sincerely,
some lame spammer
.
250 Requested mail action Ok.
So the stupid program appears to think that <> is a local address. Not only that but if you use JUCE (the anti spam addon) and have it set to stop things with max messages (too many messages and the account gets shut down) it will give the postmaster notification when an account hits the max message limit, well <> doesn't cause any notification at all. In fact it appears to be a sort of special case and may actually get around some of the other anti spamming features built into NTmail3.
Gordano LTD (the author of NTmail) doesn't appear to care, their response was "we don't support V3 unless you pay", like I was asking a question or something... I've even offered to pay them to build me a fixed version but instead they have asked me to take the discussion elsewhere (instead of their mailing list). Ok, this is elsewhere <g>.
Gordano's solution is to upgrade to NTmail 4, which costs oh.. about 4x what you paid for version 3. Also if you purchase version 4 and find it unacceptable because of other problems (I can't run it because it can't handle the load that version 3 handles), Gordano will be more than happy to downgrade you to version 3 (this is how they are trying to retain some new customers who are totally unsatisfied with the quality of Version 4). So since they are still selling Version 3 in effect it is my opinion they should fix the damn thing.
Geo.
PS, NTMail 3.03 is over a year old and the new version has been out for about 4 months however it's got so many problems we had to revert back to version 3
Also people seem to be missing the point here. If you have local mail restrictions turned on then the mail server should not accept mail from non-local domains however the <> account gets around this. Try sending as <>@microsoft.com to see what I mean. Also, it should not allow mail with no return address to be sent, but it does.
I received the following from Gordano, basically I guess they aren't going to
address this because they feel it's not important. Version 3.03.0018 does not
fix the bug. NTmail 4 does fix it though, so if you can live with it then it's a
solution.
-----------------------
We have reviewed the posting of "NTMail version 3.x" being an open relay and there are several observations we would like to make:
1. The last version 3 of NTMail is very old version and was superceded by version 4 in August 1998. Version 3.03.0018 is available on our FTP site for no charge for those who wish to update to the latest version 3. It is no longer available for purchase.
2. It is *not* true that NTMail is "an open relay" unless the relay options are changed from their default.
3. More flexibility in the relaying options were introduced in version 4 of NTMail which is available from http://www.ntmail.co.uk or sales@gordano.com.
In addition to normal support mechanisms, we welcome feedback of all kinds by e-mail to suggest@gordano.com. Many thanks for allowing us to set the record straight.
John Stanners
Gordano Ltd