Editing Open mail relay (section)

== Closing relays ==
In order not to be considered "open", an e-mail relay should be secure and configured to accept and forward only the following messages (details will vary from system to system&nbsp;— in particular, further restrictions may well apply):<ref name="janet">{{Cite web|url=http://www.ja.net/services/mail/janet-spam-relay-tester-and-notification-system/repairing-open-mail-relays.html#expected |title=Repairing open mail relays - Advice from UK JANET |access-date=2008-04-12 |url-status=dead |archive-url=https://web.archive.org/web/20080224195334/http://www.ja.net/services/mail/janet-spam-relay-tester-and-notification-system/repairing-open-mail-relays.html |archive-date=February 24, 2008}}</ref>

* Messages from local [[IP address]]es to local [[Email box|mailboxes]]
* Messages from local IP addresses to non-local mailboxes
* Messages from non-local IP addresses to local mailboxes
* Messages from clients that are [[authentication|authenticated]] and [[authorization|authorized]]

In particular, a properly secured SMTP mail relay should not accept and forward arbitrary e-mails from non-local IP addresses to non-local mailboxes by an unauthenticated or unauthorized user.

In general, any other rules an administrator chooses to enforce (for instance, based on what an e-mail gives as its own [[Bounce address|envelope from]] address) must be in addition to, rather than instead of, the above.<ref name="janet" /> If not, the relay is still effectively open (for instance, by the above rules): it is easy to forge e-mail header and envelope information, it is considerably harder to successfully forge an IP address in a [[Internet protocol suite|TCP/IP]] transaction because of the [[Transmission Control Protocol#Connection establishment|three-way handshake]] that occurs as a connection is started.

Open relays have also resulted from security flaws in software, rather than misconfiguration by system administrators.<ref>{{Cite web|publisher=[[Debian]]|url=http://www.debian.org/security/2004/dsa-554|title=DSA-554-1 Sendmail -- Pre-set Password|date= 2004-09-27|access-date=2010-05-09}}</ref><ref>{{Cite web|url=http://support.microsoft.com/kb/310669|title=MS02-011: An authentication flaw could allow unauthorized users to be authenticated on the SMTP service|publisher=[[Microsoft]]|date=2007-03-29|access-date=2008-10-28}}</ref><ref>{{Cite web|url=http://support.microsoft.com/kb/237927|title=XIMS: Messages Sent to Encapsulated SMTP Address Are Rerouted Even Though Rerouting Is Disabled|publisher=[[Microsoft]]|date=2006-10-26|access-date=2008-10-29}}</ref> In these cases, security patches need to be applied to close the relay.

Internet initiatives to close open relays have ultimately missed their intended purpose, because spammers have created distributed botnets of zombie computers that contain malware with mail relaying capability. The number of clients under spammers' control is now so great that previous anti-spam countermeasures that focused on closing open relays are no longer effective.