none
Stop Outbound Phishing

    Question

  • Hi everyone,

    we detected phishing spam mails are being sent at high rate from our single Exchange Server

    Messages are sent by: "******@*******citibank.com", with this subject: "Your Credit Card Has Been Limited" from various External IPs.

    We now deployed some network security filters, but I have one concern:

    How do spammers use our Exchange connector to send mail as an external unmanaged domain ?
    Why is it possible by default ? How to avoid it and allow messages sent by internal domain only ?

    Thanks for helping !

    Wednesday, March 2, 2016 10:40 AM

All replies

  • Hi everyone,

    we detected phishing spam mails are being sent at high rate from our single Exchange Server

    Messages are sent by: "******@*******citibank.com", with this subject: "Your Credit Card Has Been Limited" from various External IPs.

    We now deployed some network security filters, but I have one concern:

    How do spammers use our Exchange connector to send mail as an external unmanaged domain ?
    Why is it possible by default ? How to avoid it and allow messages sent by internal domain only ?

    Thanks for helping !

    Do you have a receive connector that allows for anonymous relay out to the internet?  If so, you should make sure that it's scoped properly and also make sure the emails are not coming from within your network. 

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread

    Wednesday, March 2, 2016 12:48 PM
  • Hi,

    Generally speaking, there are two situations that Enterprise mail server was utilized to send spam email invalid:

    1. Mail user account was stolen

    2. Mail Server was set to allow mail relay.

    You can check messaging queue to identify which situation it is.

    You can access to the link below for more details about using a Receive Connector for Anonymous Relay, it shows advantage and disadvantage about disabling receive connector for anonymous relay:

    https://technet.microsoft.com/en-us/library/aa996395(v=exchg.141).aspx


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, March 3, 2016 9:46 AM
  • Hi and thanks for helping!

    We checked Connectors using Telnet and MXTOOLBOX: NO OPEN RELAY configured on any connector!

    That's probably a stolen account... We changed all passwords and there's no spam in queue anymore.

    Although, I still can't understand how it might have been possible to send mails as someone else than the authenticated user addresses:

    SPAM sent as"****@***alertcitibank.com" which is not part of managed domains.

    How to disable this behavior ?

    Thanks again !

    Monday, March 7, 2016 3:11 PM