We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now


How to Stop Relaying with Exchange Server 5.5

djplante asked
Medium Priority
Last Modified: 2010-08-05
We are getting an increase of spam and an increase of messages that have been sent from specific user accounts without the owner knowing.  It seems as though we have relaying enabled and that our e-mail server is allowing messages to be sent without the owners permission.

We are running Exchange Server 5.5 (SP4) with many of the latest exchange patches on a Windows 2000 Server (fully patched).  The environment is primarily Windows 2000 servers with a linux box acting as a Gateway/Firewall.  Our Exchange server is running Antigen 7.5 in order to filter virus's and content AND all client machines and the server have a local anti-virus program installed and updated for protection.

I have made the necessary changes in the IMS (e.g. Checkmark in the "Hosts and Clients with these IP addresses", while not listing an IP address) as suggested here:  http://www.winnetmag.com/MicrosoftExchangeOutlook/Article/ArticleID/7696/MicrosoftExchangeOutlook_7696.html but we still seem to be relaying.

I would like to answer the following questions.
1.  How can we tell if our server has relaying turned on?
I was unable to telnet into our Windows 2000 server in order to try the suggestions in the article above (e.g. telnet servername 25).  The telnet window hangs.  If someone can troubleshoot telnetting in I would appreciate that.  I have turned the telnet service on on the server AND even tried enabling the telnet port on our firewall but still no luck.  What else do I have to configure to make telnet work?

2.  Are there any other ways to disable relaying other than the common solution discussed in the article above.  We have already applied this solution and seem to be getting a lot of spam.

Anyone who can point me in the right direction would be much appreciated.

D. J.
Watch Question

Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview


When trying to telnet I get this:
C:\>telnet relay-test.mail-abuse.org
Connecting To relay-test.mail-abuse.org...Could not open a connection to host on
 port 23 : Connect failed

I checked my server against njabl.org and it was clean.
I check my server against openrbl.org and this is what returned...what does this mean?
 Multi DNSBL Lookup 208.193.xxx.xxx http://openrbl.org/ip/208/193/xxx/xxx.htm
 Lookup 208.193.xxx.xxx (something.something.edu) in 21+11 Zones
 AS: 208.193.xxx.xxx/24 AS6062  NETPLEX Hartford/Connecticut
 Net 208.192-208.255 UUNET1996B  Fairfax, Virginia @uu.net
 Results: Positive=2, Negative=30 (2004-04-12 16:05:42 UTC)
@ISP/blackholes.us: 208.193/16: 553 ISP MCI - http://hatcheck.org/google?mci; http://hatcheck.org/sbl?mci; ISP UU - http://hatcheck.org/google?uu; http://hatcheck.org/sbl?uu [Blockparade]
BLARS/block.blars.org: INET

Hints for 208.193.xxx.xxx: (external, use BACK or ALT-LEFT when done)
Track "something.something.edu" at [Whois & Abuse|SpamCop*]
Search "208.193.xxx.xxx" at [Google|SpamCop*|SenderBase] [MAPS|Schlund]
CHECK: Nominate Relay-Test at: [ORDB] [Add Comment]

I am in the process of trying http://ordb.org but it takes a while.

As far as the IMC.  There are two options I think you are referring to:  "Do not reroute incoming SMTP mail" AND "Reroute incoming SMTP mail (required for POP3/IMAP4 support).  Routing is sent to "something.edu" and the option "Email sent to this domain:" "should be accepted as inbound" is selected.  Are you saying I should disable this option and "Do not reroute incoming SMTP mail".  People only use Microsoft Outlook client while on campus and Outlook Web Access off campus.  No one telnet's in or configures their clients at home to download messages (POP3).

What should I try from here?

D. J.
When you telnet you need to use the following syntax: "telnet [domain] 25" to telnet on port 25.  Without the port 25 statement, it will attempt to connect on port 23 which will not work.  You do not need port 23 open on your firewall to your exchange server.

For exchange 5.5, you actually need to select "Reroute incoming SMTP mail" and do not select any domains to reroute.  This is a little know fact about Exchange 5.5. If you select "Do not reroute incoming SMTP mail," then it will still allow spammers access to an open-relay.


When I try to telnet into my exchange server this is what I get...it just hangs here:

c:\telnet [servername or FQDN] 25
220 servername.domain-name.something.edu ESMTP Server (Microsoft Exchange Interne
t Mail Service 5.5.2657.72) ready

I have tried many combinations in order to telnet in and cannot do it with the following syntax:  telnet servername 25

Any other suggestions?
We have "Reroute incoming SMTP mail" selected and we have specified a domain (something.edu).  Do you recommend we remove that domain?  If so, what are the possible outcomes of doing this?

Thanks for your help.

> Results: Positive=2, Negative=30
This seems to be OK, as there are a few heavy restrictive databases, the relevant daabases are closed.

> As far as the IMC.
One is to set is to "Do not reroute..", but as dstoker said, it will not open the server for relay but it may produce a lot of NDRs, if a spammer tries to use your server as relay.

Follow the intructions here to close your server, where the last one may be the easiest to understand:

There is also a example for testing your own server with telnet.

The telnet (abuse.org) was ok, but you should run it on your mail server. Additionally, the default route should be the same than your mail server uses, as this tool tries to contact your server with the IP, you are going out.


I still cannot get Telnet to function properly.  After I open telnet and type in "open servername 25" it hangs.  How can I get telnet to function properly?  Oh, I already have made changes to the settings as described in the 2nd article:  http://www.msexchange.org/pages/article_p.asp?id=5

Just the commands, telnet responses for every line. Note that you may not use backspace or other keys, just type the command and return, if you made an error, hit return and pepeat the hole line.
telnet myserver 25
mail from: anymail@anyserver.com
rcpt to: anothermail@anotherserver.com
type your mail text here


I can't get to a prompt to be able to enter HELO or mail from: / rcpt to:  this is as far as I get:

220 servername.domain.domain.edu ESMTP Server (Microsoft Exchange Interne
t Mail Service 5.5.2657.72) ready

I know how to use telnet....it is just hanging and I am not able to login at all
After the "ready", you type HELO.  Then do you get a response.  You will not see standard Telnet prompts.  Think of it as telneting blind.

you must simply type it, if you get the banner from your server (as shown above), just type "helo" and hit return. You will not get any cursor or hint, what to do as the order doesn't matter. Type the whole line, including "mail from: xxx"


ok....dstoker509....thanks.....I followed your directions and did get the response "550 relaying is prohibited"

Now that I've determined that relaying is prohibited, what recommendations do you have for limiting the amount of spam coming through.  What I'm mostly worried about are the messages that look like someone at the school has sent them out when in fact they haven't.  Any other ideas?

Could some client machines on the network have virus's and be acting as thier own SMTP service (using the Global Address List somehow)?
Could it be that our exchange server has somehow been compromised (i.e. virus, hacked, etc.)?

Thanks for your help,
D. J.

Have a look at the mails headers, where you can see, from where the mail are really coming from. Within Outlook, mark the mail - right click - Options, there you can see the mail header. If the mail header field is empty, the mails are coming from your own clients, otherwise you will find the full routing protocol, ending with the originator of the mail like

Received: From ns5.experts-exchange.com ([]) by anyOtherServer ....

As mostly the servername of spam emails are faked, the IP Address is correct. The last viruses have the feature, that they try to fake the sender addresses in that way, that it seems to be, that they are coming from a known sender's address.

Now goto dos promt and type

nslookup (where this is the IP, you find in the mail header)
the response is ns5.experts-exchange.com (in this example)
but this is the real name of the sender's server.

Doing so, you can find out, if you have an internal problem or if they are coming from outside. For SPAM from outside, you can not really do a lot within exchange, you need a spam-filter, which is able to filter the incoming traffic. A few virus scanner also have a simple filter function, but this is not really a solution.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.