Odd ‘From’ Address in the Send Queue
While checking the send queues on my Exchange 2010 server, I noticed an email from firstname.lastname@example.org addressed to a yahoo.com recipient. I don’t allow unauthenticated smtp traffic, so I was a little concerned. The details indicated that the message had originated on my HUB server with an external address. That’s not cool.
Here’s what the message detail looked like:
Subject: Have I got a deal for you!!!
Internet Message ID:
From Address: email@example.com
Size (KB): 15
Message Source Name: SMTP:Default MYHUBSERVER
Source IP: 126.96.36.199 [My hardware load balancer’s ip address]
Date Received: 3/23/2012 9:06:49 AM
Expiration Time: 3/25/2012 9:06:49 AM
Queue ID: MYHUBSERVER\1705088
So how did firstname.lastname@example.org use my Exchange server to relay an email to yahoo? It was so easy they didn’t even have to try. In fact, they didn’t even know they had done it. I searched the message transport log for the text string “notmydomain.com” and found an inbound message email@example.com with the subject line “Have I got a deal for you!!!” to firstname.lastname@example.org .
There was one of two things going on here: 1) Myuser@mydomain.com is a Mail Contact with an external smtp address of email@example.com or 2)Myuser@mydomain.com is a mailbox with a forwarding address firstname.lastname@example.org . I don’t set up mail forwarding for a mailbox except under very unusual circumstances, so I checked the Mail Contacts first. Sure enough, there was Myuser with an external smtp address of email@example.com .