Odd ‘From’ Address in the Send Queue
While checking the send queues on my Exchange 2010 server, I noticed an email from email@example.com addressed to a yahoo.com recipient. I don’t allow unauthenticated smtp traffic, so I was a little concerned. The details indicated that the message had originated on my HUB server with an external address. That’s not cool.
Here’s what the message detail looked like:
Subject: Have I got a deal for you!!!
Internet Message ID:
From Address: firstname.lastname@example.org
Size (KB): 15
Message Source Name: SMTP:Default MYHUBSERVER
Source IP: 18.104.22.168 [My hardware load balancer’s ip address]
Date Received: 3/23/2012 9:06:49 AM
Expiration Time: 3/25/2012 9:06:49 AM
Queue ID: MYHUBSERVER\1705088
So how did email@example.com use my Exchange server to relay an email to yahoo? It was so easy they didn’t even have to try. In fact, they didn’t even know they had done it. I searched the message transport log for the text string “notmydomain.com” and found an inbound message firstname.lastname@example.org with the subject line “Have I got a deal for you!!!” to email@example.com .
There was one of two things going on here: 1) Myuser@mydomain.com is a Mail Contact with an external smtp address of firstname.lastname@example.org or 2)Myuser@mydomain.com is a mailbox with a forwarding address email@example.com . I don’t set up mail forwarding for a mailbox except under very unusual circumstances, so I checked the Mail Contacts first. Sure enough, there was Myuser with an external smtp address of firstname.lastname@example.org .