Yes, but an interesting issue is mail spoofing: One of the vulnerabilities of the SMTP protocol is that it is possible to attack closed relays... the only thing you have to do is send an email to a fake email address, doing this the email will be sent back to the sender (that could be anybody from any domain I wish!). I could also include an attach... and the SMTP server would deliver this information included in the NDR! It's easy to see that I could generate a denial of service with this method using the SMTP server's resources and also attacking if I desire the "sender". Unless you disallow non-delivery reports and perform reverse DNS lookups on incoming messages... but this has several disadvantages... -----Original Message----- From: Mark Fugatt [mailto:mark@xxxxxxxxx] Sent: Miércoles, 04 de Septiembre de 2002 06:50 p.m. To: [ExchangeList] Subject: [exchangelist] RE: open relay on Exchange 2000 http://www.MSExchange.org/ They cannot just make up a username and password, it has to be a real username and password. Mark Fugatt Pentech Office Solutions Inc www.4mcts.com www.exchangetrainer.com Tel: 585 586 3890 Fax: 585 249 0316 Cell: 585 576 4750 Visit www.msexchange.org for valuable information about Microsoft Exchange -----Original Message----- From: maplesoft@xxxxxxxxxxxxx [mailto:maplesoft@xxxxxxxxxxxxx] Sent: Wednesday, September 04, 2002 5:49 PM To: [ExchangeList] Subject: [exchangelist] open relay on Exchange 2000 http://www.MSExchange.org/ We have recently set up Exchange 2000. We wanted to make sure we did not have any open relays and followed the instructions given in Mark Fugatt's article: "Understanding Relaying and Spam with Exhange 2000." Testing with the telnet session is successful, however, if a spammer really wants to use our server, all they need to do is setup an Outlook Express client with a bogus email address, tell OE to authenticate to our smtp server and provide a bogus username and password and the email will be relayed. I do not know what we missed, but we must have missed something. If anyone has any ideas, we would greatly appreciated them. Thanks, Scot ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: mark@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: jedanoviz@xxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')