What is SMTP authentication? Secure e-mail against spam

To send threatening letters or unwanted advertising by post, all you need to do is write an incorrect sender address on the envelope. A similar method can be applied to e-mails. According to research done by Kaspersky Lab in 2017, the biggest source of spam was the US, which accounted for 13.21%. Other notable global phishing events include “Nigerian” scammers with an inheritance scheme, and other large sporting events. SMTP authentication provides basic security to prevent such unsolicited spam and phishing attempts.

SMTP authentication, also known as SMTP AUTH or ASMTP, is an extension of the extended SMTP (ESMTP), which, in turn, is an extension of the SMTP network protocol. It allows an SMTP client (i.e. an e-mail sender) to log on to an SMTP server (i.e. an e-mail provider) via an authentication mechanism. In this way, only trustworthy users can feed e-mails into the network via the server, and forward them. In addition, the log data can be used to determine who used the server as a mail relay.

SMTP AUTH prevents an SMTP server from being misused as an open mail relay and distributes spam within a network. The need for this procedure is due to the inherent features of the original 1982 SMTP, which did not provide user authentication by default. For this reason, open mail relays were the norm until about 1997, i.e. mail servers that forward all e-mails regardless of the sender or recipient address. What seems absurd in today’s environment was originally founded in good reason: system errors and server failures were more frequent, so open mail relays could maintain regular traffic even in emergency situations.

However, the widespread use of such unprotected relays led to the proliferation of spam. Morally questionable advertisers and malicious criminals (above all, the notorious “spam king” Sanford Wallace with his Cyberpromo firm) used the open servers with stolen or invented e-mail addresses to distribute spam. The term given to this practice is “mail spoofing”.

Since the servers did not have additional authentication mechanisms at the time, they accepted the spam mails without difficulty and fed them into the network. By using external hardware, the spammers also saved their own resources and so could not be traced back. Furthermore, the constant change of fake addresses made it possible to avoid spam filters. Various countermeasures have been deployed to solve the problem of open mail relays – first SMTP-After-POP and then ESMTP and ASMTP in 1995. By 2005/2006, the number of open mail relays had shrunk from several hundred thousand to a negligible fraction.

Although the situation is no longer as critical as it was then, according to the non-profit organization Spamhaus, spammers are still finding 10 to 20 new open servers in the network per day. Sometimes these are the result of frivolous and inexperienced administrators. However, according to Spamhaus, the problem often lies with poorly configured or cracked firewalls and external security applications – not necessarily with the server configuration itself, as is often the case with small, regional businesses. If an application lets spam mail through, it is forwarded to the server via a local SMTP connection with the IP address of the respective application, which then treats it as trustworthy. Additionally, more and more spammer botnets from “zombified” home computers are used as relays.

Now, open mail relays instrumentalized for spam are usually identified as such after just a few hours or days and then end up on so-called blacklists. This means that even legitimate e-mails end up in the recipient’s spam filter, so that the operator of a mail server must first take care of closing the security hole and then try to delete them from the list to operate normally again. Spammers not only cost businesses money by generating high traffic at the expense of their hardware speed, they can also tarnish a business’s reputation and consume a lot of unnecessary time.

It is for this reason, that all mail servers these days use ESMTP in conjunction with ASMTP. They then always require authentication before using their e-mail service. An optimally configured SMTP relay (also called “smart host”) is a server that only forwards e-mails from senders to third parties if it’s responsible for both parties. In simple language: incoming mails are only sent to registered users, and only those who are authorized to use the mail server can send outgoing mails.

An essential feature of ASMTP is that e-mails are accepted via port 587/TCP (the SMTP AUTH port), instead of the traditional port 25/TCP. This is a mandatory feature of ESMTP. The protocol contains a selection of authentication mechanisms with different levels of security, which, depending on its configuration, an SMTP server can use in order to check the trustworthiness of the SMTP client.

These authentication mechanisms include the following:

• PLAIN: an authentication via the username and password of the client. Both are transmitted unencrypted and then encoded in the Base64 character set.
• LOGIN: works similarly to PLAIN but the Base64 character set for the username and password are transferred in two steps rather than just one.
• CRAM-MD5: an alternative to PLAIN and LOGIN with a higher level of security according to the challenge-response principle. Since spammers can decode a user’s personal access data relatively quickly from the Base64 character set, the password is not transferred to the server in code or in plain text via this mechanism. Instead, the server provides the client with a kind of computational task that can only be solved with the help of the password. This task changes with each login so spammers cannot misuse data from previous server connections.
• Other mechanisms offered include GSSAPI, DIGEST-MD5, MD5, OAUTH10A, OAUTHEBEARER, SCRAM-SHA-1, and NTLM.

An example of an authentication via LOGIN:

The following are a set of instructions for Outlook:

1. Select “Account Settings” in the menu
2. Choose your account and click on “Change”
3. Select “Further Settings”
4. In the newly-opened window, navigate towards “Outgoing Server” and activate the option “My outgoing server (SMTP) requires authentication”
5. Check the box titled “Use same settings as my incoming server”
6. Confirm it with “OK” and the window will close
7. Click on “Next” for Outlook to check the new account settings and click “Close” as soon as the test is complete
8. To finalize, click on “Finish” and then “Close”

You can use the Telnet client to check whether a mail server functions as an open relay or SMTP AUTH (for example if you set up your own mail server). Some spammers also use it to manually locate open mail relays. SMTP and ESMTP are purely text-based protocols, which is why you can also start and execute a client server session manually. All you need is your username and password in Base64 code, which you can get on websites like base64encode.net.

The SMTP AUTH test proceeds as follows:

1. Try to establish a connection with the SMTP server via Port 25/TCP by using the command “telnet smtp.example.com 25” (replace “smtp.example.com” with the domain of your mail server)
2. The server should answer with the status code “220 smtp.example.com ESMTP postfix” and the session should then begin
3. The server will welcome you with “EHLO smtp.example.com”
4. The server will offer a selection of authentication mechanisms as shown in the example above where you can select, for example, LOGIN by entering the command “AUTH LOGIN”
5. Now comes the actual test: after the commands ‘MAIL FROM’ and ‘RCPT TO’, enter a made-up sender and recipient address, i.e. one that does not exist. If the server responds with an error message, ASMTP is configured correctly, meaning your server is not an open mail relay. If the server confirms both commands with a “250 OK” there is no need for improvement.

Alternatively, you can test the SMTP AUTH test by using external tools such as by the company MxToolbox, Inc.. It also offers a blacklist checker that allows you to check in case of suspicious behavior.