Hi guys - for the last few weeks I've been working with Microsoft to try and track down why on Earth a correctly configured Exchange 2000 Server has been relaying. All of the standard sites report that it's closed, my own telnetting to it says it's closed, and yes, I've accounted for trojans on the LAN - but we're still going to try unplugging the rest of the LAN at some stage for a while and see what happens. But still, it's relaying. I add the IPs as I see them to a blacklist and it quietens down for a while, and MS keep promising they'll find the problem - but I send them SMTP logs, System and App logs and nothing adds up. All tests show it's closed, and all Logs (and complaining recipients) prove it's open for at least one attacker. Most of the reported sender addresses are in the format SMTPxxxx.YAHOO.COM (where xxxx is a random 4 digit number) But all resolve to chinanet or something. Recently though (today), they have been reporting as just 'exploder' or 'range' This is screaming 'vulnerability' to me, but MS refuse to acknowledge anything. I have heard in the last 20 minutes that a different organisation in Wgtn (with a different integrator) is having exactly the same problem, and that "Telecom is talking to Microsoft about it, but is getting nowhere" - I can't substantiate that yet though. No, the client isn't using an SMTP AV gateway, or firewall, Yes, they should be - and this will may in fact be the straw that broke the Financial Controllers back. But my current question is does anyone know WHAT this attack is, or if there's a configuration workaround I can do short of sticking a non win2k SMTP gateway between the net and Exchange? I can't post the SMTP logs publically because of a confidentiality agreement, but if anyone has an idea and would like to see a sample, please let me know and I'll see if the IT admin of the affected site will allow it. Cheers - Neil G.