How to prevent internal SPAM from your own domain on Exchange 2010
Thank to: http://www.packetland.net/
220 packetland.net Microsoft ESMTP MAIL Service ready at Fri, 03 Jan 2014 02:58:20 -0600
helo
250 packetland.net Hello [87.88.89.90]
mail from: packetland@packetland.net
550 5.7.1 Client does not have permissions to send as this sender
mail from: anyuser@anyemail.com
250 2.1.0 Sender OK
rcpt to: packetland@packetland.net
250 2.1.5 Recipient OK
DATA
354 Start mail input; end with .
from: packetland@packetland.net
subject: Header spoofing
.
550 5.7.1 Client does not have permissions to send as this sender
As a conclusion in this article we have seen that removing the ms-exch-smtp-accept-authoritative-domain-sender permission stops spoofing of your domains and it is absolutely neccessary to be applied on internet facing Exchange servers to avoid the internal spam situation.
Have you ever seen plenty of spam mail in your inbox and noticed in the source FROM field that it's either your email address or some colleague’s email address, of your own domain and company as a sender?
This can happen if one of your domain email addresses has been spoofed by a spammer and then used to flood your mail server with what it’s called internal spam. But how is this achieved?
In Exchange Server 2010, the Accepted Domains section is where is stated on Exchange server which domains are valid to be used as source email addresses in order to push emails to the internet. But this means that an external user can connect to your company Exchange server and by providing any email address using your domain name will get accepted. That’s what the extensive Transport Permissions model in Exchange 2010 is there for, in order to prevent such spam to be delivered.
By default all the Receive Connectors on Exchange 2010 have the ms-exch-smtp-accept-authoritative-domain-sender permission which indicates whether an Accepted Domain can be used in the MAIL or FROM headers. When an external mail server submits mail to your Exchange server without authentication, as anonymous senders, that permission is being consult by the Exchange server in order to allow or block the email supplied by anonymous senders.
To avoid anonymous users sending mail using your domain you need to remove the ms-exch-smtp-accept-authoritative-domain-sender permission assigned to them. The command to remove this permission is shown below:
Get-ReceiveConnector “Internet ReceiveConnector” | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | Remove-ADPermission
As soon as this permission is removed, when anonymous senders try to submit mail to your Exchange server, it will consult the list of the Accepted Domains, and the result will be the following:
helo
250 packetland.net Hello [87.88.89.90]
mail from: packetland@packetland.net
550 5.7.1 Client does not have permissions to send as this sender
250 2.1.0 Sender OK
rcpt to: packetland@packetland.net
250 2.1.5 Recipient OK
DATA
354 Start mail input; end with .
from: packetland@packetland.net
subject: Header spoofing
.
550 5.7.1 Client does not have permissions to send as this sender
As a conclusion in this article we have seen that removing the ms-exch-smtp-accept-authoritative-domain-sender permission stops spoofing of your domains and it is absolutely neccessary to be applied on internet facing Exchange servers to avoid the internal spam situation.
Comentarios
Publicar un comentario
Dime si la información de este blog te sirvio.