How to Stop Relaying with Exchange Server 5.5

We are getting an increase of spam and an increase of messages that have been sent from specific user accounts without the owner knowing.  It seems as though we have relaying enabled and that our e-mail server is allowing messages to be sent without the owners permission.

We are running Exchange Server 5.5 (SP4) with many of the latest exchange patches on a Windows 2000 Server (fully patched).  The environment is primarily Windows 2000 servers with a linux box acting as a Gateway/Firewall.  Our Exchange server is running Antigen 7.5 in order to filter virus's and content AND all client machines and the server have a local anti-virus program installed and updated for protection.

I have made the necessary changes in the IMS (e.g. Checkmark in the "Hosts and Clients with these IP addresses", while not listing an IP address) as suggested here: but we still seem to be relaying.

I would like to answer the following questions.
1.  How can we tell if our server has relaying turned on?
I was unable to telnet into our Windows 2000 server in order to try the suggestions in the article above (e.g. telnet servername 25).  The telnet window hangs.  If someone can troubleshoot telnetting in I would appreciate that.  I have turned the telnet service on on the server AND even tried enabling the telnet port on our firewall but still no luck.  What else do I have to configure to make telnet work?

2.  Are there any other ways to disable relaying other than the common solution discussed in the article above.  We have already applied this solution and seem to be getting a lot of spam.

Anyone who can point me in the right direction would be much appreciated.

D. J.
Who is Participating?
This article explains closing open-relay and testing it.  It should help clear things up:;en-us;836500
A lot of stuff to read. Within your Exchange server IMC, you have an option button "Forward mails for these domains" and "Do not forward emails" or similar. If you makr the "Do not forward...", your server will not relay messages. This has nothing to do with forwarding to your own recipients.

Nevertheless, some spamers uses some tricks, like faking sender addresses, so that your server interpret these mails as coming from internal users.

try telnet at dos-promt

also check your server against spam-databases like

Note that the last one will test your server and add it to the database, if found as open relay, the first two will only check different databases, if you are listened. If all these tests are negative, your server will not relay. On the other hand, if your server is really open, a few of the databases will list you as these tools are also the tools used by the spamers, means that they have found your server.

The telnet tool will try to find out, if your server is vulnerable against some knows email tricks. These vulnerability can be closed by tools in front of the exchange server, like some virus scanners or "mail security" from

djplanteAuthor Commented:
When trying to telnet I get this:
Connecting To not open a connection to host on
 port 23 : Connect failed

I checked my server against and it was clean.
I check my server against and this is what returned...what does this mean?
 Multi DNSBL Lookup
 Lookup ( in 21+11 Zones
 AS: AS6062  NETPLEX Hartford/Connecticut
 Net 208.192-208.255 UUNET1996B  Fairfax, Virginia
 Results: Positive=2, Negative=30 (2004-04-12 16:05:42 UTC)
@ISP/ 208.193/16: 553 ISP MCI -;; ISP UU -; [Blockparade]

Hints for (external, use BACK or ALT-LEFT when done)
Track "" at [Whois & Abuse|SpamCop*]
Search "" at [Google|SpamCop*|SenderBase] [MAPS|Schlund]
CHECK: Nominate Relay-Test at: [ORDB] [Add Comment]

I am in the process of trying but it takes a while.

As far as the IMC.  There are two options I think you are referring to:  "Do not reroute incoming SMTP mail" AND "Reroute incoming SMTP mail (required for POP3/IMAP4 support).  Routing is sent to "" and the option "Email sent to this domain:" "should be accepted as inbound" is selected.  Are you saying I should disable this option and "Do not reroute incoming SMTP mail".  People only use Microsoft Outlook client while on campus and Outlook Web Access off campus.  No one telnet's in or configures their clients at home to download messages (POP3).

What should I try from here?

D. J.
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

When you telnet you need to use the following syntax: "telnet [domain] 25" to telnet on port 25.  Without the port 25 statement, it will attempt to connect on port 23 which will not work.  You do not need port 23 open on your firewall to your exchange server.

For exchange 5.5, you actually need to select "Reroute incoming SMTP mail" and do not select any domains to reroute.  This is a little know fact about Exchange 5.5. If you select "Do not reroute incoming SMTP mail," then it will still allow spammers access to an open-relay.
djplanteAuthor Commented:
When I try to telnet into my exchange server this is what I just hangs here:

c:\telnet [servername or FQDN] 25
220 ESMTP Server (Microsoft Exchange Interne
t Mail Service 5.5.2657.72) ready

I have tried many combinations in order to telnet in and cannot do it with the following syntax:  telnet servername 25

Any other suggestions?
We have "Reroute incoming SMTP mail" selected and we have specified a domain (  Do you recommend we remove that domain?  If so, what are the possible outcomes of doing this?

Thanks for your help.
> Results: Positive=2, Negative=30
This seems to be OK, as there are a few heavy restrictive databases, the relevant daabases are closed.

> As far as the IMC.
One is to set is to "Do not reroute..", but as dstoker said, it will not open the server for relay but it may produce a lot of NDRs, if a spammer tries to use your server as relay.

Follow the intructions here to close your server, where the last one may be the easiest to understand:;en-us;243045

There is also a example for testing your own server with telnet.

The telnet ( was ok, but you should run it on your mail server. Additionally, the default route should be the same than your mail server uses, as this tool tries to contact your server with the IP, you are going out.
djplanteAuthor Commented:
I still cannot get Telnet to function properly.  After I open telnet and type in "open servername 25" it hangs.  How can I get telnet to function properly?  Oh, I already have made changes to the settings as described in the 2nd article:
Just the commands, telnet responses for every line. Note that you may not use backspace or other keys, just type the command and return, if you made an error, hit return and pepeat the hole line.
telnet myserver 25
mail from:
rcpt to:
type your mail text here
djplanteAuthor Commented:
I can't get to a prompt to be able to enter HELO or mail from: / rcpt to:  this is as far as I get:

220 ESMTP Server (Microsoft Exchange Interne
t Mail Service 5.5.2657.72) ready

I know how to use is just hanging and I am not able to login at all
After the "ready", you type HELO.  Then do you get a response.  You will not see standard Telnet prompts.  Think of it as telneting blind.
you must simply type it, if you get the banner from your server (as shown above), just type "helo" and hit return. You will not get any cursor or hint, what to do as the order doesn't matter. Type the whole line, including "mail from: xxx"
djplanteAuthor Commented:
ok....dstoker509....thanks.....I followed your directions and did get the response "550 relaying is prohibited"

Now that I've determined that relaying is prohibited, what recommendations do you have for limiting the amount of spam coming through.  What I'm mostly worried about are the messages that look like someone at the school has sent them out when in fact they haven't.  Any other ideas?

Could some client machines on the network have virus's and be acting as thier own SMTP service (using the Global Address List somehow)?
Could it be that our exchange server has somehow been compromised (i.e. virus, hacked, etc.)?

Thanks for your help,
D. J.
Have a look at the mails headers, where you can see, from where the mail are really coming from. Within Outlook, mark the mail - right click - Options, there you can see the mail header. If the mail header field is empty, the mails are coming from your own clients, otherwise you will find the full routing protocol, ending with the originator of the mail like

Received: From ([]) by anyOtherServer ....

As mostly the servername of spam emails are faked, the IP Address is correct. The last viruses have the feature, that they try to fake the sender addresses in that way, that it seems to be, that they are coming from a known sender's address.

Now goto dos promt and type

nslookup (where this is the IP, you find in the mail header)
the response is (in this example)
but this is the real name of the sender's server.

Doing so, you can find out, if you have an internal problem or if they are coming from outside. For SPAM from outside, you can not really do a lot within exchange, you need a spam-filter, which is able to filter the incoming traffic. A few virus scanner also have a simple filter function, but this is not really a solution.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.