Can I get a list of open relays in mail to use for pentest?
I'm currently pentesting a client (with permission of course) and we are testing their email filtering capabilities. We want to check whether they reject mail coming from open mail relays, but I seem unable to find any. Is there a list somewhere that we can use?
There are Domain Name System-based Blackhole List (DNSBL) like SORBS, but they all work the other way around, allowing to test reputation for known IP address. There's a good reason for that. While you may have permission to test your client's systems, but you don't have permission to use 3rd party servers for your penetration testing! The open relay servers are typically in this condition by accident.
You are confusing two different things: technological term open relays and Mailgun’s service, which isn't really open as it needs registration. The latter is not illegal, but for the same reason it's not any good for your penetration testing, as it's not necessarily blocked by a DNSBL even if your client has one or more configured. Instead, you should be testing if your client's server works as an open relay or a partly open relay due to misconfiguration. Recommendations regarding inbound spam filtering can be given without testing, based on the mail server configuration.