We got hit with this one the other day. We have several mail servers here,
all of them have relaying shut off. Of course, there are exceptions to the
relay rules which allows mail to flow normally. Mail can come in from
anywhere to a set list of inside networks and servers, mail can go out to
anywhere if it originates from inside the network.
I'm guessing that the spammer used the
user%targetdomain.com@??? addressing form in order to get
mail1.domain.com to hand off to mail2.domain.com and do their dirty work.
This is my guess, since the headers only showed the path going from the
outside, to one mail server, then to another, then out to a target. I
can't find any documentation as to whether Exim supports the "%" form of
addressing.
Any good ideas how to fight this? If possible, I'd just like to shut off
the "%" addressing altogether.
--
*** Exim information can be found at
http://www.exim.org/ ***
