Happy Thanksgiving all! While I don't think I'll get a response to this question over the holidays, I thought I'd at least present it for response post Thanksgiving. I have a site that (along with others) has decided to use MSExchange as their SMTP hub. One of the problems I am seeing with this is that the current configuration allows for any inbound domain traffic. In otherwords, the exchange server seems to allow emails destin for any domain, then sends a None Delivery Report to the "Mail From" party. My argument is that there lies an exploit with this senario. In otherwords (and those of you that probably know where I am going with this just skip ahead) If I send an email to JoeSmo@domain.com and spoof the Mail From as Victim@innocentdomain.com to an Exchange Server setup in this manor, the Exchange server will bounce an email to the Victim@innoccentdomain.com. While this is all fine and dandy, if a person(s) decides to use this as a mailbomb method and exploit this, its rather simple to do. So, in short I am aguing that 1> Mail destine for a domain not handled should be 550 Denied. 2> None Delivery Reports should only be sent for Domains Handled. 3> That a Firewall should not be doing Domain checking for SMTP What I am at a loss for is RFCs that explicitly state this, that is NDR for other domains, and accepting for other domains. Perhaps I missed something or one of them. Anyone have to deal with this situation? Any suggestions on how to argue this? Am I perhaps missing something? Does Bill Gates feel that "Monopoly is just a game, I want the world!" Just kidding. Thanks in advance, and again Happy Thanksgiving! -Joe