So I was greeted with a lovely issue this morning that is really driving me nuts. My mail system was relaying messages from using a valid user on my system (MFouch). The IP address that was sending the messages appears to be in Lagos, Nigeria ( I have been combing my GWIA, MTA, and POA logs and I am not seeing any POP/IMAP/SMTP auth from that IP address. The valid local user that was being abused "C/S dos" login was getting logged but from GWIA's internal IP address. I attached a MIME copy of the message.

My GWIA agent is setup to prevent relaying. I do allow relaying from some specifically defined internal addresses. I do allow POP3 in, but only specific users can use IMAP4 (silly Android issue). I require authentication for both POP3, IMAP4, and SMTP. I ran all of the different open relay tests that I am aware of (, as well as tried to relay something via telnetting to my GWIA. I have attached my current GWIA flags as well. I just added /disallowauthrelay for now as a test/precaution.

I found TID 7008712 that confused, upset, and scared me all at the same time (GroupWise Internet Agents are relaying emails when they're not suppose to be relaying.). If what this TID says is correct, how can I continue to use GroupWise?

It looks like I have stopped the trouble for now. I added /disallowauthrelay as per TID7008712 (which will probably upset a few people). I renamed my gwac.db in case there was some corruption in my SMTP access control list. I changed the abused local user's password. I renamed all of my various GWIA directories (000.PRC, DEFER, GWHOLD, GWPROB, RECEIVE, RESULT, SEND, WPCSIN, and WPCSOUT) just to give me some time to clean out all of the deferrals, send items, and to be sure there is not a message queued somewhere. Members of my team are scanning the two machines this user uses as a precaution. I have also explicitly denied access to my network at my perimeter.

Has any of the great minds out there in the Novell Forum Land seen this before or can point out my buffoonery?

Thanks in advance,