Behind the scenes, the commands sent to mail servers are simple text commands. These commands can be sent to an email server manually via Telnet. This is a quick way to test an email server to determine if it is an open relay.
First, determine the MX for the domain in question:
nslookup
set type=mx
mydom.com
This should return something like such as the following: Server: ns2.mydom.com
Address: 192.168.1.10
mydom.com preference = 10, mail exchanger = mx.mydom.com
mydom.com nameserver = ns.mydom.com
mx.mydom.com.com internet address = 1.1.1.1
mx2.mydom.com internet address = 1.1.1.2
The last two lines tell you about the mail server (MX = Mail Exchange). In this case, 1.1.1.1 and 1.1.1.2.
So, armed with this knowledge, note the following examples:
telnet 1.1.1.1 25
Server responds with: 220 mx.mydom.com SMTP
HELO
Server responds with: 250 OK
MAIL FROM:user@mydom.com
Server responds with: 250 Address Ok.
RCPT TO:user@otherdom.com
Server responds with: 250 user@otherdom.com OK
DATA
Server Responds (or may not): 354 Enter Mail
Enter message, and then on a new line, enter the following;
.
exit
The message should now be sent. By modifying the MAIL FROM and RCPT TO lines, you can test for open relay.
