Because you can use the Internet Mail Service (IMS) as a connector between Exchange sites, the IMS contains mechanisms for encoding addressing information to let Exchange route non-SMTP traffic through the IMS. For example, consider a configuration of three Exchange sites and one Microsoft Mail (MS Mail) post office:
Site1 ** Site2 ** Site3 ** MS Mail
If you use the IMS as the connector between sites, Exchange uses an addressing scheme similar to IMCEAMS-org/postoffice/account@site3.com to send a message from a user in Site 1 to the connected MS Mail users. This scheme lets the IMS encapsulate the MS Mail address (org/postoffice/account) in a Site 3-type SMTP address; that is, the outer address directs the mail to the site where the MS Mail post office connects and where the inner address is used to determine the ultimate destination. The IMCEAMS prefix lets the system know that this address is an Internet Mail Connector Encapsulated Address (IMCEA) of type MS Mail (MS). A similar addressing scheme that uses the IMCEASMTP prefix lets Exchange encapsulate one SMTP address inside another for the IMS to deliver to a connected system.
A malicious user can exploit this functionality by encapsulating an address as follows:
RCPT TO: <IMCEASMTP-encapsulatedaddress@open.com>
where -encapsulatedaddress is the victim's address and open.com is the system with the open relay.
Even if you use the relay-restricted configuration I discussed in the main article, the IMS version in Exchange Server 5.5 Service Pack 2 (SP2) allows relaying when an address is encapsulated with the IMCEASMTP-address@domain.com format. However, IMS versions later than 5.5.2650.10 resolve this problem. You can determine which IMS version you're using either by viewing the properties on the mseximc.exe file or by using a Telnet session on port 25 to connect to the server hosting the IMS. When you send a Telnet command to the server, it responds with a banner that identifies the type of system and the version. For example, the banner might read 220 server.domain.com ESMTP Server (Microsoft Exchange Internet Mail Service 5.5.2650.10 ready.
Microsoft security bulletin MS99-027 (http://www.microsoft.com/ security/bulletins/ms99-027.asp) summarizes encapsulated SMTP address vulnerability. The FAQ at http: //www.microsoft.com/security/ bulletins/ms00-27faq.asp presents background about the problem. To eliminate this vulnerability, you can obtain a patch from ftp://ftp.microsoft.com/bussys/exchange/ exchangepublic/fixes/<language>/exchg5.5/postsp2/imc-fix. The patch is relatively easy to install, and I've heard no reports of problems.