Spam Relay

High Malicious Infrastructure

A spam relay is a compromised or misconfigured mail server used to forward unsolicited bulk email on behalf of spammers, obscuring the true origin of messages. Open SMTP relays and hijacked mail credentials allow attackers to send millions of messages per day, damaging the host's IP reputation and causing legitimate mail delivery to fail.

High Severity

This threat is classified as high severity. Prioritize mitigation.

🔍Indicators

Sudden spike in outbound SMTP connections (port 25) from a server not designated as a mail server
mail.log showing high volumes of messages to external recipients with unknown sender domains
Server IP listed on one or more DNS block lists (Spamhaus, Barracuda, SORBS)
Bounced delivery notifications (NDRs) flooding the local mailbox from unknown sent messages
SMTP AUTH brute-force attempts followed by successful authentication from foreign IPs
Unusually high CPU/network utilization correlated with mail daemon process

🛡Detection Methods

Check if your server is an open relay

# Test from an external host — if mail is accepted and relayed, the server is open
telnet mail.example.com 25
EHLO test.com
MAIL FROM:<[email protected]>
RCPT TO:<[email protected]>

Monitor outbound SMTP volume

# Count outbound SMTP connections per minute
ss -tn dport = :25 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn

# Watch Postfix mail queue depth
watch -n 5 mailq | tail -1

fail2ban rule for SMTP AUTH brute force

[postfix-sasl]
enabled  = true
port     = smtp,465,submission
filter   = postfix-sasl
logpath  = /var/log/mail.log
maxretry = 5
bantime  = 3600

Snort rule — detect open relay abuse

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 \
  (msg:"SMTP open relay attempt"; flow:to_server,established; \
   content:"RCPT TO"; nocase; \
   pcre:"/RCPT TO:\s*<[^@]+@(?!yourdomain\.com)[^>]+>/i"; \
   sid:9001002; rev:1;)

✅Mitigation

Disable open relay immediately: Configure your MTA (Postfix, Exim, Sendmail) to only relay mail for authenticated users or trusted internal networks. In Postfix: smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination.
Enforce SMTP AUTH: Require TLS + SMTP authentication for all outbound mail submissions. Disable plaintext AUTH mechanisms (LOGIN, PLAIN without TLS).
Rate-limit outbound SMTP: Implement sending rate limits per user/IP using Postfix anvil service or equivalent.
Monitor and alert on queue depth: Alert when the mail queue exceeds a threshold (e.g., 500 messages) — sudden queue spikes indicate relay abuse.
Request delist from block lists: After remediation, submit delisting requests to Spamhaus, Barracuda, and other RBLs. Check status at MXToolbox.
Implement SPF, DKIM, DMARC: Publish SPF records restricting authorized senders, sign outbound mail with DKIM, and enforce DMARC policy (p=reject) to prevent domain spoofing.
Audit mail credentials: Reset all SMTP account passwords. Review mail logs for unauthorized SMTP AUTH sessions and block offending IPs.
Block port 25 outbound for non-mail hosts: Use firewall rules to restrict outbound SMTP to designated mail servers only.

📋Real-World Examples

Rustock Botnet (2006–2011): Rustock was a spam botnet that, at its peak, was responsible for sending an estimated 30 billion spam emails per day — roughly 40% of global spam volume. It relayed spam through hundreds of thousands of compromised Windows machines. Microsoft and US Marshals seized its C2 servers in March 2011, causing global spam volume to drop by 40% overnight.

Yahoo Mail Credential Stuffing (2016): Following the 2013 Yahoo data breach exposure, attackers used harvested credentials to authenticate to Yahoo SMTP servers and send hundreds of millions of spam messages through legitimate Yahoo infrastructure, damaging IP reputation and triggering Gmail and Outlook bulk sender blocks.

Related Terms

DNS Firewall SSL/TLS