How to prevent internal SPAM from your own domain on Exchange 2010

Thank to: http://www.packetland.net/

Have you ever seen plenty of spam mail in your inbox and noticed in the source FROM field that it's either your email address or some colleague’s email address, of your own domain and company as a sender?
This can happen if one of your domain email addresses has been spoofed by a spammer and then used to flood your mail server with what it’s called internal spam. But how is this achieved?
In Exchange Server 2010, the Accepted Domains section is where is stated on Exchange server which domains are valid to be used as source email addresses in order to push emails to the internet. But this means that an external user can connect to your company Exchange server and by providing any email address using your domain name will get accepted. That’s what the extensive Transport Permissions model in Exchange 2010 is there for, in order to prevent such spam to be delivered.
By default all the Receive Connectors on Exchange 2010 have the ms-exch-smtp-accept-authoritative-domain-sender permission which indicates whether an Accepted Domain can be used in the MAIL or FROM headers. When an external mail server submits mail to your Exchange server without authentication, as anonymous senders, that permission is being consult by the Exchange server in order to allow or block the email supplied by anonymous senders.
To avoid anonymous users sending mail using your domain you need to remove the ms-exch-smtp-accept-authoritative-domain-sender permission assigned to them. The command to remove this permission is shown below:
Get-ReceiveConnector “Internet ReceiveConnector” | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | Remove-ADPermission
As soon as this permission is removed, when anonymous senders try to submit mail to your Exchange server, it will consult the list of the Accepted Domains, and the result will be the following:

220 packetland.net Microsoft ESMTP MAIL Service ready at Fri, 03 Jan 2014 02:58:20 -0600
helo
250 packetland.net Hello [87.88.89.90]
mail from: packetland@packetland.net
550 5.7.1 Client does not have permissions to send as this sender



Even if someone tries to use email address header spoofing in the email message body, as you can see below it fails:

mail from: anyuser@anyemail.com
250 2.1.0 Sender OK 
rcpt to: packetland@packetland.net 
250 2.1.5 Recipient OK 
DATA 
354 Start mail input; end with .
from: packetland@packetland.net  
subject: Header spoofing 
.  
550 5.7.1 Client does not have permissions to send as this sender


As a conclusion in this article we have seen that removing the ms-exch-smtp-accept-authoritative-domain-sender permission stops spoofing of your domains and it is absolutely neccessary to be applied on internet facing Exchange servers to avoid the internal spam situation.

Comentarios

Entradas populares de este blog

Guía de herramientas básicas para estudiantes: 31 apps y webs imprescindibles para ayudarte con los estudios

Comando FOR para archivos BAT

How to Setup and Configure Your Own GitLab Server on Ubuntu 20.04