There is a relaying technique that Exchange appears to be vulnerable to in all the open relay tests, even after you've put in all the recommended settings, but when you actually try to exploit the apparent vulnerability, the message isn't relayed and an NDR is generated. I'm guessing this is an example of that situation, in which case you are not relaying.
Too bad I've forgotten all the details, eh? -Peter -----Original Message----- From: Doug Kassay [mailto:[EMAIL PROTECTED]] Sent: Monday, September 23, 2002 11:20 To: Exchange Discussions Subject: Am I still a relay? (long and potentially confusing) Exchange 5.5 with latest SP (4 I think). I read and implemented all of MS articles that relate to relaying and think I have eliminated 99%. At one point we were getting flooded with ~ 1,000 messages per minute for relaying. As the exchange administrator, I have all inbound failure come to me. I get about 15 per day, which I check to make sure they are not misaddressed. Most of them (~75%) are to [EMAIL PROTECTED] or [EMAIL PROTECTED] (neither of which mailboxes exist). I don't think this is abnormal, what is weird is that ~ 2 - 3 per day make it appear as if we are still relaying. The message in question is always a duplicate of one that I received as in inbound failure to [EMAIL PROTECTED] For example at 5:06am I get an inbound failure to [EMAIL PROTECTED] with the following message from our server: "The following recipients did not receive the attached mail. Reasons are listed with each recipient: <[EMAIL PROTECTED]> [EMAIL PROTECTED] MSEXCH:IMS:Keystone Petroleum:OCTANE:KPPSVR01 0 (000C05A6) Unknown Recipient The message that caused this notification was:" The attachment is the email it self, and in this case says "get your license" At 5:07am I get a second inbound failure with the following server message: "The following recipients did not receive the attached mail. Reasons are listed with each recipient: <[EMAIL PROTECTED]> [EMAIL PROTECTED] MSEXCH:IMS:Keystone Petroleum:OCTANE:KPPSVR01 3550 (000B09B6) 550 <[EMAIL PROTECTED]>: User unknown The message that caused this notification was:" Again the attachment is the email and it is identical to the one at 5:06am Other oddities to note: The person listed in the from address field of both messages is always the name that is listed in the delivery failure notification of the second inbound failure. My guess to what is happening is that the original mail coming in has the flag set for received receipt, and it is our server sending out confirmation to a fake address and then that server saying that user does not exist. I would really appreciate any help on this matter as it has me quite stumped. Thanks ^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^ Keystone Petroleum Equipment, Ltd. 981 Trindle Road West Mechanicsburg, PA 17055 ^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^ Doug Kassay - Operations Specialist Phone 717-697-1651 Fax 717-697-8591 [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] ______________________________________________ This message is private or privileged. If you are not the person for whom this message is intended, please delete it and notify me immediately, and please do not copy or send this message to anyone else. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
