SMTP Relaying

We have a customer that uses a database application. Part of this application allows you to bulk e-mail people on the database (lets call them clients!)

The software gives you two options

1) Let Outlook do the heavy lifting

2) Specify an SMTP server and the software will send the emails via that

We can’t use the Outlook method as a security message is displayed for every email sent. If this were for 5000 clients that’s a lot of dialog boxes! 

Now the software doesn’t authenticate with the SMTP server so as far as it’s concerned your trying to relay.

We got the software working by allowing the IP address of the computer to relay on the SMTP server.

I wasn’t too pleased about this setup for a couple of reasons

Firstly while we’re only allowing one IP address to relay at the moment our customer would like any of the users to be able to use the functionality.

Second, I don’t want any unauthenticated users to be able to relay. What if that particular computer becomes infected with some nasty software. It wouldn’t take much to scan the local subnet for an SMTP server and it would be SPAM for everyone!

However, we have lots of different types of protection in place. Anti-virus on the desktop. Anti-virus at the mail server. Mail is filtered by a third party before it comes into the network and their IP address is the ONLY inbound SMTP traffic allowed. This means that the odds of the nasty scenario actually occurring are quite small.

But it still could happen! The odds of it increase if we allow all users to relay so I told our customer I wouldn’t recommend this configuration.

At the moment the software vendor have no plans to change their software.

There is a user group for the software so our customer sent an email around to see how everyone else was using it.

We had about 15-20 replies and only one of them agreed that there was a problem here.

I believe that security starts from the INSIDE. Just because the SMTP server can’t be a relay from the Internet doesn’t make it any less of a threat.

So am I in the wrong? I am really worrying over nothing or are all those other users exposing themselves? (so to speak!) Should the vendor be doing more with their software?

Any comments would be greatly received