NFG:My system's set up to block illegitimate mail. I demand authentication to relay and I greywall, but today a piece of spam came through with one legitimate address for a local user, and about 12 users on other systems in the CC/BCC fields. Because one user was legit the message was accepted by Mercury, processed, and 12 messages forwarded to other systems.
I don't want to sound like I'm in denial on this, but I don't think it happened the way you describe it. I can't find any way of getting Mercury to do this in testing here - the non-local addresses always return the "We do not relay with RFC2554 authentication" message when I try it, and I've just tried quite a range of possible combinations.
The only scenario that works here is if the sender is actually authenticated, in which case you have an issue of trust with a specific user rather than a technical problem. A variation on the same problem might happen if you have a connection control entry that specifically allows the connecting machine to relay, but once again, that is a configuration issue rather than a security hole.
If you can show me a session log illustrating a clear case of improper relaying, I'll fix it as a matter of urgency, but I'm pretty confident you won't be able to do that.
Cheers!
-- David --