Port Authority Edition – Internet Vulnerability Profiling
by Steve Gibson,  Gibson Research Corporation.





Goto Port 24
Probe Port 25
Enter Port: 0-65535
Goto Port 27



Port Authority Database

Port 25

Name: 
smtp

Purpose: 
Simple Mail Transfer Protocol

Description: 
SMTP is the protocol used to shuttle eMail across the Internet from one mail server to another. Over its years of use, the protocol has evolved significantly to become much more capable, and much less "simple" than it was in the beginning.

SMTP servers open and listen for incoming connections on port 25. Another SMTP server, or a personal eMail client, will connect to the server on its port 25 to transfer some eMail into it for subsequent forwarding toward its destination.

Related Ports: 
110, 143




Background and Additional Information:

Electronic mail (eMail) is transferred among servers and clients in several different phases using a number of different protocols. The SMTP protocol is used by end-user eMail clients (and unfortunately by spammers) to inject eMail into the Internet, and also to move it toward its eventual destination.

Once the eMail has arrived at its destination it is "picked up" by eMail clients using one of a number of different protocols. The most popular two are POP (Post Office Protocol), a service usually running on port 110, and IMAP (Internet Message Access Protocol), a service usually running on port 143. The Port Authority database discusses the roles of those protocols in greater detail.

SMTP Servers

Although it is certainly possible for an end-user's personal computer to be running an SMTP server, it is unusual for end-users to do so. SMTP servers are usually operated by ISPs to provide for their customers' eMail needs, or by larger corporations for inter-employee eMail (which never leaves the facility) as well as external eMail exchange with the rest of the Internet.

If our tests have revealed that your port 25 is open and accepting connections, and you are not knowingly operating an SMTP server, you should determine what has opened and is listening at that port. A glance at some of the names of Trojan programs known to inhabit port 25 (see the end of the page) such as "Email Password Sender" and "Mail Bombing Trojan" show that port 25 has been a source of some trouble in the past.

SPAM

Aside from the possibility of Trojan programs operating at that port, the security implications of SMTP mostly surround the growing trouble with unsolicited commercial eMail (UCE) commonly known as SPAM. Much trouble arises from the fact that SMTP servers have historically accepted any eMail from anyone and made it their job to forward the eMail toward its destination. In other words, "back in the good old days", SMTP servers were generally quite trusting about the eMail they received and accepted. This trust has since been abused by spammers who began dumping large quantities of eMail onto arbitrary, well-connected, SMTP servers.

Open Mail Relays

Servers which accept eMail from anyone for forwarding toward its destination are termed "Open Mail Relays". They tend to be quickly discovered by spammers who seek the anonymity of dumping their unwanted eMail for someone else to deliver (thus avoiding the various "blacklists" which have arisen in an attempt to thwart SPAM). The severity of this problem has forced well-maintained SMTP servers to be updated to no longer accept "pass it along" eMail. EMail must either be from an end-user who logs into the server using a known and authentic account name and password, or accepted from another SMTP server and addressed to the account of one of the server's users. No other eMail will be accepted or sent, and SMTP servers will no longer forward eMail on behalf of other SMTP servers or non-authenticated users unknown to them.

If our analysis has discovered that your system has port 25 open, and you are not deliberately and knowingly operating a "closed" eMail server, there's some possibility that this port may be used for SPAM forwarding. This open relay testing site: http://www.abuse.net/relay.html can safely check your system's current IP (shown near the top of our port testing pages) for open eMail relay vulnerability.

The SMTP RFC (the complete specification)

The specification of every nuance and detail of the SMTP protocol:

  http://www.ietf.org/rfc/rfc2821.txt

  http://www.faqs.org/rfcs/rfc2821.html

Trojan Sightings: Ajan, Antigen, Barok, BSE, Email Password Sender - EPS, EPS II, Gip, Gris, Happy99, Hpteam mail, Hybris, I love you, Kuang2, Magic Horse, MBT (Mail Bombing Trojan), Moscow Email trojan, Naebi, NewApt worm, ProMail trojan, Shtirlitz, Stealth, Stukach, Tapiras, Terminator, WinPC, WinSpy

The entire contents of this page is copyright © 2008 by Gibson Research Corporation.


Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2016 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page