MAIL FROM:<spambag@fake.domain> RCPT TO:<victim@target>the classic "wide open relay"
MAIL FROM:<spambag@fake.domain> RCPT TO:<"victim@target">with the "" in there. Sendmail 8.8-specific (although Lotus Notes and other MTAs may exhibit this fault if incorrectly secured). Patch has been available since August 1998 - see the sendmail section of the ORBS fixup page Heavily exploited by spammers.
MAIL FROM:<spambag@fake.domain> RCPT TO: victim@targetno <>, this test is non-RFC821 compliant. Typical failures are MS Exchange and SLmail betas
MAIL FROM:<spambag> - no domain, vulnerable machines usually add their local domain RCPT TO:<victim@target>Typical machines which fail this are Post.Office and Intermail, or improperly setup sendmail 8.8
MAIL FROM:<spambag@fake.domain> RCPT TO:<victim%target@{relay}>{relay} is tested as [IP.address] IP.address and reverse.DNS.name. Heavily exploited by spammers and mailbombers. Most Lotus Notes/Domino installations fail this.
MAIL FROM:<spambag@fake.domain> RCPT TO:<victim@target@{relay}>Variation on the % address routing vulnerability above. not commonly used by spammers (yet).
MAIL FROM:<spambag@fake.domain> RCPT TO:<target!victim@{relay}>Mixed UUCP and Internet addressing. Typical failures are Sendmail installations with FEATURE(nouucp) set.
MAIL FROM:<spambag@fake.domain> RCPT TO:<@{relay}:victim@target>Another pathing vulnerability attack. Heavily exploited by mailbombers, usually as a multihop attack - RCPT TO:<@{relay1},@{relay2},@{relay3}:victim@target> - however also being used increasingly by spammers.
ORBS does not test the multihop variation.
MAIL FROM:<fake.domain!spambag> RCPT TO:<target!victim>This is old style UUCP pathing and more commonly used by mailbombers than spammers
MAIL FROM:<spambag> RCPT TO:<target!victim>
MAIL FROM:<> - "NULL sender." RCPT TO:<victim@target>This envelope must NOT be filtered from local delivery, as it's used for bounce messages, however it must not be allowed to relay.
MAIL FROM:<spambag@{relay}> RCPT TO:<victim@target>This is the only check most of the online testers actually perform. (This attack used to be the second most common form of spam relaying seen, but is currently rare.)