You wrote:
And someone trying to be helpful without (like RBogan) being insulting, told him that it's simply because the FROM address was being spoofed.One day...as merk was checking his email...he noticed he was receiving mail from himself. He opened his inbox...and guess what? He had mail from "merk@clueless.com". WOW. As Merk knew he didn't send this email to himself...he became puzzled. Off he went to ME's forum in search of assistance.
With all due respect, I don't think you understand at all how SMTP works. Nothing in this thread to date has addressed the simple fact that FROM addresses (among other fields) can be easily spoofed, so sending someone an email that appears to be from themselves is trivially easy, and does not require some elaborate explanation of a theoretical bug in ME's relay settings.
If you have a given mail server running MailEnable, and relaying is enabled ONLY for authenticated users, then here's what happens:
- - Any mail sent to that mail server which is addressed to a domain that is local to that mailserver will be delivered, without any authentication requirement. This is the most likely scenario for what the original poster is describing, with the added bit that the spammer is spoofing the FROM address to look like their mail is sent from the recipient's own address.
- Any mail sent to that mail server which is addressed to a non-local domain will require relay, and hence will require authentication. It doesn't matter at all what is in the FROM address field, as long as "Allow relay for local sender addresses" is not checked.
- - That someone has sent mail to the original poster with the FROM address spoofed so it looks like they sent it to themselves, and their mail server accepted it because all incoming mail to local domains is accepted. OR:
- That there's a bug in the relay authentication for MailEnable, and some spammer is using it to send people mail from their own mailservers that looks like it's coming from their own address.