Odd ‘From’ Address in the Send Queue

While checking the send queues on my Exchange 2010 server, I noticed an email from somebody@notmydomain.com addressed to a yahoo.com recipient. I don’t allow unauthenticated smtp traffic, so I was a little concerned. The details indicated that the message had originated on my HUB server with an external address. That’s not cool.

Here’s what the message detail looked like:

Identity: MYHUBSERVER\1705088\11638779
Subject: Have I got a deal for you!!!
Internet Message ID:
From Address: somebody@notmydomain.com
Status: Ready
Size (KB): 15
Message Source Name: SMTP:Default MYHUBSERVER
Source IP: 192.0.0.100 [My hardware load balancer’s ip address]
SCL: 0
Date Received: 3/23/2012 9:06:49 AM
Expiration Time: 3/25/2012 9:06:49 AM
Last Error:
Queue ID: MYHUBSERVER\1705088
Recipients: someone@yahoo.com

 

 

 

 

 

 

 

 

So how did somebody@notmydomain.com use my Exchange server to relay an email to yahoo? It was so easy they didn’t even have to try. In fact, they didn’t even know they had done it. I searched the message transport log for the text string “notmydomain.com” and found an inbound message fromsomebody@notmydomain.com with the subject line “Have I got a deal for you!!!” to myuser@mydomain.com .

Ding!

There was one of two things going on here: 1) Myuser@mydomain.com is a Mail Contact with an external smtp address of someone@yahoo.com or 2)Myuser@mydomain.com is a mailbox with a forwarding address ofsomeone@yahoo.com . I don’t set up mail forwarding for a mailbox except under very unusual circumstances, so I checked the Mail Contacts first. Sure enough, there was Myuser with an external smtp address of someone@yahoo.com .

Mystery solved.

Leave a Reply

Your email address will not be published.