none
Multiple spoofed domains getting through

    Question

  • HI!  We are running exchange 2010 SP2 (on SBS 2011).  We had an incident this weekend where about 20 emails were sent to us using spoofed domains.  Below is the header from one of the emails saying that there was a permanent error in the SPF record, but the email still got through.  I thought the sender id enabled was supposed to block this.  Is there a configuration issue that I need to look at to help ensure these don't get through in the future?  Or is this a case of not being able to block all spam?

    HEADER:

    Received: from remotedomain.org (41.110.147.49) by myserver.mydomain.local

     (192.168.xxx.xxx) with Microsoft SMTP Server id 14.2.247.3; Sun, 2 Jun 2013

     00:35:31 -0400

    Message-ID: <51AAC1C6.509060@mydomain.com>

    Date: Sun, 2 Jun 2013 05:35:31 +0100

    From: jim <jim@ottawa.edu>

    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6

    MIME-Version: 1.0

    To: <me@mydomain.com>

    Subject: RE: Hello

    Content-Type: text/plain; charset="UTF-8"; format=flowed

    Content-Transfer-Encoding: 7bit

    Return-Path: service@remotedomain.org

    X-MS-Exchange-Organization-AuthSource: myserver.mydomain.local

    X-MS-Exchange-Organization-AuthAs: Anonymous

    X-MS-Exchange-Organization-PRD: ottawa.edu

    X-MS-Exchange-Organization-SenderIdResult: PermError

    Received-SPF: PermError (myserver.mydomain.local: domain of

     jim@ottawa.edu used an invalid SPF mechanism)

    X-Brightmail-Tracker: AAAAAA==

     

    X-MS-Exchange-Organization-Antispam-Report: ContentFilterConfigBypassedRecipient

    X-MS-Exchange-Organization-SCL: -1

    X-MS-Exchange-Organization-AVStamp-Mailbox: SYMANTEC;482411904;0;info

    Monday, June 03, 2013 3:09 PM

Answers

  • Thanks, Andy D!

    I have the sender id enabled and set to reject.  However, I would like to know why the email still came through with SenderIdResult: PermError .  Also, is there another configuration issue I need to look at?

    Sincerely,

    v2kmccl

    Well, those messages are coming from an authenticated sender:

    X-MS-Exchange-Organization-Antispam-Report: ContentFilterConfigBypassedRecipient

    X-MS-Exchange-Organization-SCL: -1

    So you have either added the sending IP address of the server/sender  as trusted within Exchange or your anti-spam product or the recipient's mailbox has antispamByPassEnabled set to $true.

    Check with :

    >get-mailbox <alias> | FL antispam*


    Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Monday, June 03, 2013 6:08 PM

All replies

  • I dont know if SBS has a different mechanism, but for sender filtering options and actions see:

    http://technet.microsoft.com/en-us/library/bb125259(v=exchg.141).aspx


    Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Monday, June 03, 2013 3:22 PM
  • Thanks, Andy D!

    I have the sender id enabled and set to reject.  However, I would like to know why the email still came through with SenderIdResult: PermError .  Also, is there another configuration issue I need to look at?

    Sincerely,

    v2kmccl

    Monday, June 03, 2013 5:23 PM
  • Thanks, Andy D!

    I have the sender id enabled and set to reject.  However, I would like to know why the email still came through with SenderIdResult: PermError .  Also, is there another configuration issue I need to look at?

    Sincerely,

    v2kmccl

    Well, those messages are coming from an authenticated sender:

    X-MS-Exchange-Organization-Antispam-Report: ContentFilterConfigBypassedRecipient

    X-MS-Exchange-Organization-SCL: -1

    So you have either added the sending IP address of the server/sender  as trusted within Exchange or your anti-spam product or the recipient's mailbox has antispamByPassEnabled set to $true.

    Check with :

    >get-mailbox <alias> | FL antispam*


    Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Monday, June 03, 2013 6:08 PM