SBS/Exchange 2003 Открытое Реле на Уродливом Адресе электронной почты

I'd say the burden of proof is on them - they need to demonstrate that it's actually relaying to the encapsulated address for this to be a vulnerability.

You can't prove a negative; there's no way for you to demonstrate that every possible combination of address malforming will be rejected. Fuzzing the recipient address field of your email server should not be expected of you in order to prove compliance; testing these things and reporting on any issues found is what the scanner's getting paid for.

An accept response happens all the time for messages that aren't delivered (for spam in particular) - it's irresponsible of them to assume an open relay based on a particular response code. Every scan vendor of this type I've seen actually sends the message to an internet address, so that they're able to confirm whether they could successfully relay.

Your testing has shown that despite the response code, the message is not relayed, and the addition of your domain at the end is additional evidence that the message is going absolutely nowhere. However, they may have malformed the address in a different way and seen different behavior. Ask them for the exact traffic they send and what exact response they got, and whether their scan confirmed relaying over the internet. If they did, reproduce it; that should be the extent of the due diligence that you need to perform here.

If they won't prove that you're actually vulnerable to this vulnerability, then their scan is meaningless and you should contest their findings.