TELNET and email security SEND email without password

jimbo45 · 23 Dec 2019

Hi folks

seems some servers can allow telnet on the ISP / remote email server's port 25 without you having to enter a password -- and you can send an email

Not sure what these commercial ISP servers do but is there anyway to block this if using your own domain / hosting servers email systems. Just making use of telnet difficult doesn't to me seem a sufficient answer.

I tried this (as normal user not admin).

telnet <smtp servername 25>
EHLO <servername>

mail from: <email address> (don't forget the ':')

rcpt to: <target email address>

DATA now wait for the go ahead response (354 go ahead)

subject: <subject> e.g test from telnet.

enter a blank line
then your email text plus a blank line or two

finish with a single '.' (full stop) on a new line

you should get something like 250 message accepted

then QUIT

you'll get 221 smtpout.<url>

connection closed by foreign host.

Now check say with outlook and you'll find your email message assuming as test you sent it to a mailbox which you have access to.

Seems a bit of a security flaw here. Or certainly possibly a spammers paradise !!!.

TELNET and email security SEND email without password-telnet.png

Any ideas on how to beef up the security - especially if it's on say a domain you own. Not sure if there's anything you can do though on ISP email servers.

Cheers
jimbo