Open SMTP (Email) Servers on Your Network

Barry Greene
2 min readJun 9, 2021

(Last Updated On: June 8, 2021)

Do you know if you have open SMTP servers on your network? In May, Qualys released 21 vulnerabilities to Exim (see Qualys Security Advisory 21Nails: Multiple vulnerabilities in Exim). Exim is a popular Mail Transfer Agent (MTA) available on Unix operating systems and comes pre-installed on Linux distributions. The easy access and wide SMTP/Exim MTAs use have consequences. Your network can have open and vulnerable SMTP/Exim MTAs on your network, vulnerable, and open to exploit. Qualys pointed out that 10 of the disclosed vulnerabilities are remote exploitable along with a POC video on how it works (see 21Nails: Multiple Critical Vulnerabilities in Exim Mail Server).

It is a race … who can find these exposed servers first — the miscreants or the people trying to protect the organization?

Don’t go rushing off to buy a “scanning solution!” Shadowserver’s public benefit daily network reports have extended their SMTP report to include all the 21 Nails vulnerabilities. Shadowserver’s 2021–05–18 scan uncovered 317,848 Open SMTP servers with distinct IPs that are likely vulnerable based on the connected banner identification. The illustration demonstrates the risk per country. Is your network on that list?

Details about the format of the news reports being shared can be found in the Vulnerable SMTP report page and Accessible SMTP Report page. All existing Shadowserver report subscribers are now automatically receiving the Vulnerable SMTP report if any potentially vulnerable SMTP (currently Exim only) services are identified within their networks and countries (for national CSIRTs). If you are an existing subscriber and would like to receive the optional Accessible SMTP Report please send us a request via Shadowserver’s contact page.

If you are not already a subscriber to Shadowserver’s public benefit daily network reports and would like to receive this new report and our other existing report types (covering not just other scan results, but observations from sinkholes, honeypots, darknets, sandboxes, blocklists, and other sources), then please sign up to Shadowserver’s free daily public benefit network remediation feed service.

Originally published at on June 9, 2021.