Back in February, I wrote about how GFI MailEssentials (a widely-used anti-spam software) can't reject invalid recipients at the SMTP level. It's funny, because I pointed out to them in their product support forum how this has the potential to exploit their software to send backscatter spam. It appears that they don't take input seriously, or they don't understand the problem, because I exploited one of their own servers to send backscatter to myself. Before I explain how I did this, though, I need to provide a bit of detail about the MailEssentials software.
The MailEssentials software has a Bayesian statistical filter that you can "train" to detect legitimate mail versus spam. One way to do this is to forward a message to firstname.lastname@example.org and include a command at the top of the message. The program detects this outgoing e-mail address, checks the message for the command, and updates the Bayesian database accordingly.
Apparently, the mailessentials.com domain name is protected by MailEssentials, because recently I started getting bogus NDRs (non-delivery reports) when updating my Bayesian database. First, I looked up the MX record for this domain name. Next, I opened a telnet session on port 25 to the highest-priority server. I then entered some SMTP commands to see if I could send backscatter:
MAIL FROM: bogus_address
RCPT TO: email@example.com
Subject: Bogus NDR test
For bogus_address, I used a gmail.com address. Sure enough, the server accepted my mail, and sure enough, the bogus NDR was sent to the gmail.com address. In other words, I just exploited an anti-spam vendor's server to send backscatter.
This would be funny if it wasn't so frustrating. I've pointed out an exploitable flaw in their product's design, and not only do they not listen, they misconfigure their own server to allow the exploit...
(Update for April 16th: Apparently they finally figured this out and disabled bogus NDRs on their server.)