orbs envelopes

The current set of vulnerablities ORBS checks for is as follows:

classic "wide open relay"

   MAIL FROM:<spambag@fake.domain>
   RCPT TO:<victim@target>

the classic "wide open relay"

sendmail 8.8, double quote

   MAIL FROM:<spambag@fake.domain>
   RCPT TO:<"victim@target">

with the "" in there. Sendmail 8.8-specific (although Lotus Notes and other MTAs may exhibit this fault if incorrectly secured). Patch has been available since August 1998 - see the sendmail section of the ORBS fixup page Heavily exploited by spammers.

no < >

   MAIL FROM:<spambag@fake.domain>          
   RCPT TO: victim@target

no <>, this test is non-RFC821 compliant. Typical failures are MS Exchange and SLmail betas

no domain

    MAIL FROM:<spambag> - no domain, vulnerable machines usually add their local domain 
   RCPT TO:<victim@target>

Typical machines which fail this are Post.Office and Intermail, or improperly setup sendmail 8.8

relay

   MAIL FROM:<spambag@fake.domain>
   RCPT TO:<victim%target@{relay}>

{relay} is tested as [IP.address] IP.address and reverse.DNS.name. Heavily exploited by spammers and mailbombers. Most Lotus Notes/Domino installations fail this.
Recently fixed - see /otherresources.cgi Most Novell Groupwise installations fail this no matter what antirelay settings are used. MX (a VMS MTA) will fail this unless the latest version is used. Many badly secured sendmail installations fail this test.
Some cc:mail installations will mailbomb themselves to death with looping mail when this test is carried out. However these are usually the same ones which mailbomb themselves to death with looping mail whenever they receive mail addressed to postmaster@open.relay.

%

   MAIL FROM:<spambag@fake.domain> 
   RCPT TO:<victim@target@{relay}>

Variation on the % address routing vulnerability above. not commonly used by spammers (yet).

uupc addressing

   MAIL FROM:<spambag@fake.domain>
   RCPT TO:<target!victim@{relay}>

Mixed UUCP and Internet addressing. Typical failures are Sendmail installations with FEATURE(nouucp) set.

pathing

   MAIL FROM:<spambag@fake.domain> 
   RCPT TO:<@{relay}:victim@target>

Another pathing vulnerability attack. Heavily exploited by mailbombers, usually as a multihop attack - RCPT TO:<@{relay1},@{relay2},@{relay3}:victim@target> - however also being used increasingly by spammers.

ORBS does not test the multihop variation.

uucp

   MAIL FROM:<fake.domain!spambag>
   RCPT TO:<target!victim>

This is old style UUCP pathing and more commonly used by mailbombers than spammers

!

   MAIL FROM:<spambag>            
   RCPT TO:<target!victim>

null sender

                                                                
   MAIL FROM:<> - "NULL sender." 
   RCPT TO:<victim@target>

This envelope must NOT be filtered from local delivery, as it's used for bounce messages, however it must not be allowed to relay.

common

   MAIL FROM:<spambag@{relay}>
   RCPT TO:<victim@target>

This is the only check most of the online testers actually perform. (This attack used to be the second most common form of spam relaying seen, but is currently rare.)