Summary

This document is an introduction to the third-party mail relay problem. We will describe what mail relay means. We will discuss why junk emailers do it, and why our mail server does not support anonymous, unauthenticated relaying.

What is it?

A third-party mail relay occurs when a mail server processes a mail message where neither the sender nor the recipient is a local user. This is illustrated in the figure to the right. In this example, both the sender and the recipient are outside local domain. The mail server is an entirely unrelated third party to this transaction. The message really has no business passing through this server, unless the non-local sender is a legitimate user of the mail server. For the mail server to deterimine if you are a legitimate user, it requires you to prove your identity using the AUTH protocol.

Third-party relay has some legitimate uses. Network administrators have used it to debug mail connectivity. It has been used to route around known mail problems. Although it was rarely needed, it has proved useful on those occasions.

These days, however, the legitimate uses of mail relay are dwarfed by the number of mailer hijackings. A hijacking occurs when massive amounts of mail are relayed through a server. Most hijackings are done by junk emailers -- the so-called spammers -- trying to spew their unwanted messages all over the Internet.

In the past mail relay was a useful tool. These days, thanks to the spammers, mail relay is a significant threat to Internet operations. Relaying should only be allowed for legitimate users who have proved their identity.

Why do spammers relay?

There are several reasons why spammers use third-party relays.

There are a number of dedicated spam operations flooding the net with unwanted junk mail from known, fixed locations. Many network administrators have started to filter out all connections from these so-called spamhaus operations. The spammers have had to develop new techniques to evade the blockades. Their current favorite is to hijack a third-party mail server. The spammers, in effect, launder their junk email through third-party relays to slip through the spam filters.

Spammers use relays to increase the number of messages they can spew. A lowly PC sitting at the end of a phone line can only pump out a limited number of messages. If, however, the spammer can grab ahold of a high-powered mail host with a super-fast net connection, then they can push through hundreds of times more junk mail. Further, if the spammer can relay through several mail servers in parallel, they can flood the net with extraordinary amounts of junk mail. The spammer credo is, Why pay for expensive network and computer resources when we can just steal yours?

Spammers can hide behind third-party relays. If a spammer sends junk email directly, network managers can trace back the connection and deal with the problem. If, instead, the spammer relays the mail, they may be able to obscure their identity. Even if the spammer can't hide completely, they will deflect a significant portion of the complaints away from themselves and towards the administrators of the hijacked host. In fact, many spammers forge bogus mail headers to encourage this misdirection.

Spammers hijack mail servers because it greatly increases the amount of spam they can deliver, all at no cost to them. Of course, they are stealing -- and possibly damaging -- your resources to do it. That doesn't concern the spammer. The entire junk email business is a scheme built upon the principle of shifting costs onto others.

Conclusion

An Internet mail server performs third-party relay when it processes a message from a non-local sender to a non-local recipient. At one time, this was a little-used but helpful feature. These days, junk emailers abuse this capability at an alarming rate. They use the stolen capacity to greatly increase the amount of spam they can deliver.

You may still use our mail server from outside our local network to relay your mail to other outside destinations, but only if you first prove your identity to the mail server.