Back to All Scenarios
PASSEDinfrastructure / smtp_relay_open_relay_abuse
SMTP Relay Open Relay Abuse — Spam Storm
An internal SMTP relay is misconfigured as an open relay after a firewall change exposes it to the internet. Spammers discover and abuse it within hours, sending thousands of spam emails through the relay, causing the company's IP to be blacklisted.
Pattern
EXCHANGE_EVENT
Severity
CRITICAL
Confidence
95%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | EXCHANGE_EVENT | EXCHANGE_EVENT | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 6 linked | |
| Cascade Escalation | N/A | No | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
Postfix SMTP relay on DMZ. Firewall rule change exposes port 25 to internet. Relay misconfigured to allow unauthenticated relay from any source. 15,000 spam emails sent in 4 hours. Company mail server IP added to 3 major blocklists.
Injected Error Messages (2)
SMTP relay abuse detected — message queue exploded to 15,000 messages in 4 hours, open relay exploitation from external IPs, mail flow backed up with spam messages, relay processing 62 messages/second from unauthorized senders, legitimate mail flow delayed
Company mail server IP blacklisted on 3 major blocklists (Spamhaus, Barracuda, SORBS) — mail flow blocked to major recipients (Gmail, Microsoft), legitimate outbound email bouncing with 'rejected by blocklist' errors, message queue growing with undeliverable legitimate mail
Neural Engine Root Cause Analysis
The SMTP relay server (smtp-relay01) has been compromised as an open relay, allowing unauthorized external senders to inject spam messages at a rate of 62 messages/second. This has resulted in message queue explosion (15,000 messages in 4 hours) and is causing legitimate mail flow delays. The server is likely misconfigured with insufficient authentication controls or relay restrictions, making it vulnerable to abuse by spammers.
Remediation Plan
1. IMMEDIATE: Block external relay access by implementing strict relay restrictions (allow only authenticated users or specific IP ranges). 2. Purge spam messages from the mail queue using mailq/postqueue commands. 3. Implement proper authentication mechanisms (SMTP AUTH) for legitimate senders. 4. Configure rate limiting and connection limits. 5. Review and harden SMTP relay configuration to prevent future abuse. 6. Monitor mail queue and throughput for 24-48 hours post-remediation.
Tested: 2026-03-30Monitors: 2 | Incidents: 2Test ID: cmnck1qqr0673obqentq48rts