Odd ‘From’ Address in the Send Queue
While checking the send queues on my Exchange 2010 server, I noticed an email from somebody@notmydomain.com addressed to a yahoo.com recipient. I don’t allow unauthenticated smtp traffic, so I was a little concerned. The details indicated that the message had originated on my HUB server with an external address. That’s not cool.
Here’s what the message detail looked like:
| Identity: MYHUBSERVER\1705088\11638779 Subject: Have I got a deal for you!!! Internet Message ID: From Address: somebody@notmydomain.com Status: Ready Size (KB): 15 Message Source Name: SMTP:Default MYHUBSERVER Source IP: 192.0.0.100 [My hardware load balancer’s ip address] SCL: 0 Date Received: 3/23/2012 9:06:49 AM Expiration Time: 3/25/2012 9:06:49 AM Last Error: Queue ID: MYHUBSERVER\1705088 Recipients: someone@yahoo.com |
So how did somebody@notmydomain.com use my Exchange server to relay an email to yahoo? It was so easy they didn’t even have to try. In fact, they didn’t even know they had done it. I searched the message transport log for the text string “notmydomain.com” and found an inbound message fromsomebody@notmydomain.com with the subject line “Have I got a deal for you!!!” to myuser@mydomain.com .
Ding!
There was one of two things going on here: 1) Myuser@mydomain.com is a Mail Contact with an external smtp address of someone@yahoo.com or 2)Myuser@mydomain.com is a mailbox with a forwarding address ofsomeone@yahoo.com . I don’t set up mail forwarding for a mailbox except under very unusual circumstances, so I checked the Mail Contacts first. Sure enough, there was Myuser with an external smtp address of someone@yahoo.com .
Mystery solved.