none
Spoofing

    Question

  • Hi,

    Suddenly, we have started receiving infected emails from user@ourdomain.com even though the user does not exist in our email database. How can we disable spoofing?

    Exchange 2013

    Thanks.

    Thursday, November 2, 2017 7:17 AM

All replies

  • try get-senderfilterconfig and get-senderidconfig

    you should be able to get details if the spoof is allowed?

     i am unable to login to exchange now to verify for you


    Thanks & Regards Ramandeep Singh

    Thursday, November 2, 2017 12:46 PM
  • Hi,

    Suddenly, we have started receiving infected emails from user@ourdomain.com even though the user does not exist in our email database. How can we disable spoofing?

    Exchange 2013

    Thanks.

    You need to implement and check for DMARC/SPF and DKIM on your SMTP gateway.

    Thursday, November 2, 2017 1:50 PM
  • 
    [PS] C:\Windows\system32>Get-SenderIdConfig


    RunspaceId            : 349b5495-9d93-4381-949f-9597b8870d63
    SpoofedDomainAction   : StampStatus
    TempErrorAction       : StampStatus

    Thanks & Regards Ramandeep Singh

    Friday, November 3, 2017 5:29 AM
  • change using this

    Thanks & Regards Ramandeep Singh

    Friday, November 3, 2017 5:29 AM
  • Hi,

    We can also check the message tracking log to see with IP send the message and then check if this IP address internal or external.

    We can remove the bypass sender address spoofing check permission on all the default receive connector: Remove-ADPermission "default receive connector" -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights ms-Exch-SMTP-Accept-Any-Sender

    If it’s from statistic External IP address, we can block it in the IP block list.

    Thanks for your effort and hope it helps.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 3, 2017 8:31 AM
    Moderator
  • Running senderidconfig shows the below:

    RunspaceId            : 31e5be33-6244-47b2-b7c3-798074bd72ed
    SpoofedDomainAction   : StampStatus
    TempErrorAction       : StampStatus
    BypassedRecipients    : {}
    BypassedSenderDomains : {}
    Name                  : SenderIdConfig
    Enabled               : True
    ExternalMailEnabled   : True
    InternalMailEnabled   : False
    AdminDisplayName      :
    ExchangeVersion       : 0.1 (8.0.535.0)
    DistinguishedName     : CN=SenderIdConfig,CN=Message Hygiene,CN=Transport Settings,CN=First Organization,CN=Microsoft
                            Exchange,CN=Services,CN=Configuration,DC=Domain,DC=com
    Identity              : SenderIdConfig
    Guid                  : 878b91e6-e80e-45f3-83f2-b0b7cc274989
    ObjectCategory        : Domain.com/Configuration/Schema/ms-Exch-Message-Hygiene-Sender-ID-Config
    ObjectClass           : {top, msExchAgent, msExchMessageHygieneSenderIDConfig}
    WhenChanged           : 1/24/2013 9:25:41 AM
    WhenCreated           : 1/24/2013 9:25:41 AM
    WhenChangedUTC        : 1/24/2013 6:25:41 AM
    WhenCreatedUTC        : 1/24/2013 6:25:41 AM
    OrganizationId        :
    Id                    : SenderIdConfig
    OriginatingServer     : Domain-dc.Domain.com
    IsValid               : True
    ObjectState           : Unchanged

    and running senderfilterconfig shows

    RunspaceId                   : 31e5be33-6244-47b2-b7c3-798074bd72ed
    Name                         : SenderFilterConfig
    BlockedSenders               : {}
    BlockedDomains               : {}
    BlockedDomainsAndSubdomains  : {}
    Action                       : Reject
    BlankSenderBlockingEnabled   : False
    RecipientBlockedSenderAction : Reject
    Enabled                      : True
    ExternalMailEnabled          : True
    InternalMailEnabled          : False
    AdminDisplayName             :
    ExchangeVersion              : 0.1 (8.0.535.0)
    DistinguishedName            : CN=SenderFilterConfig,CN=Message Hygiene,CN=Transport Settings,CN=First
                                   Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Domain,DC=com
    Identity                     : SenderFilterConfig
    Guid                         : 1cff00a9-a69a-41b5-bc17-5267defff9ce
    ObjectCategory               : Domain.com/Configuration/Schema/ms-Exch-Message-Hygiene-Sender-Filter-Config
    ObjectClass                  : {top, msExchAgent, msExchMessageHygieneSenderFilterConfig}
    WhenChanged                  : 1/24/2013 9:25:41 AM
    WhenCreated                  : 1/24/2013 9:25:41 AM
    WhenChangedUTC               : 1/24/2013 6:25:41 AM
    WhenCreatedUTC               : 1/24/2013 6:25:41 AM
    OrganizationId               :
    Id                           : SenderFilterConfig
    OriginatingServer            : Domain-dc.Domain.com
    IsValid                      : True
    ObjectState                  : Unchanged

    Saturday, November 4, 2017 1:27 AM
  • https://practical365.com/exchange-server/a-sender-policy-framework-spf-primer-for-exchange-administrators/

    Thanks & Regards Ramandeep Singh

    Saturday, November 4, 2017 9:43 AM