Emails are sent from a source server to a destination server (sometimes through multiple hops) via the SMTP protocol. When you use a webmail client — think Gmail, Yahoo, Fastmail, or OWA — to send an email, the web server sends emails to its bundled SMTP server and handles authentication for you. When you send an email through a desktop client (like Outlook, Thunderbird, or some mobile clients), the client connects directly to the configured SMTP server, authenticates, and sends the email.

The problem is that email is an old and arcane system designed for a less hostile world. SMTP servers are often configured to allow unauthenticated connections to send emails, allowing an attacker to spoof email addresses for phishing or spamming. In some intranet configurations, these emails could appear to be authentic with no way to tell if they were really sent by the sender’s email account.

If there is an open SMTP relay on your company network, here is a quick way to make some money (and then go to jail):

ncat -t -C 25 <<EOF
mail from:<>
rcpt to:<>
From: "Mr. CEO"
To: "HR"
Date: Wed, 01 Apr 2021 12:01:01 -0500
Subject: Give John Smith a bonus

He deserves a $10k bonus.



The preceding command would cause an email to be sent to the HR department pretending to be the CEO asking to give John Smith a bonus. ncat is a modern netcat utility with flags for telnet compatibility (-t) and converting line endings to CRLF (-C), which some SMTP servers require.

The best way to close an SMTP relay and prevent everyone from getting 10k is to require authentication and ensure that permissions do not allow authenticated users to send emails from other people without proper authorization.