none
Issue with anonymous send email

    Question

  • Hi all,

    I've a issue in Exchange server that's from in my local network anyone can send non-exist Exchange address to my domain address
    how can I block it?

    receive connector config:

    Default Frontend <Server name> : anonymous users is enabled.(For receive email from all domain internet)

    Anonymous : I've created anonymous  receive connector for afew application for send email via my mail server,

    in Scoping setting I permitted just afew  server application for send email anonymous users.


    • Edited by Sadegh7 Tuesday, October 31, 2017 6:20 AM
    Tuesday, October 31, 2017 5:04 AM

Answers

  • Then I understand your problem. In my organization, I implemented the solution to avoid such problems by using sender filter agent and removing the ms-Exch-SMTP-Accept-Any-Sender from anonymous users. 

    ->Install Spam Agent on Exchange 2013 Mailbox Server
    ->Block our local domain:
    Set-SenderFilterConfig -BlockedDomains mydomain.com
    Set-SenderFilterConfig -InternalMailEnabled $true

    ->Remove ms-Exch-SMTP-Accept-Any-Sender for anonymous user on the Default Frontend EXSrv:
    Get-ReceiveConnector "name of the internet receive connector" | Get-ADPermission -user "NT AUTHORITY\Anonymous Logon" | where {$_.ExtendedRights -like "ms-Exch-SMTP-Accept-Any-Sender"} | Remove-ADPermission

    ->Restart Frontend Transport service on CAS role.

    I was able to send email using non-existed domain account, but no longer to do the same after above steps.

    Please remember to <b>mark the replies as answers</b> if they help. It will help other forum members to find the useful replies more easily, and inspire people to help each other.

    • Marked as answer by Sadegh7 Sunday, November 12, 2017 7:26 AM
    Tuesday, November 7, 2017 10:38 AM
    Owner
  • You can configure a custom receive connector for the APPs(if they have specific IP ranges), then bypass the sender filter agent by adding the permission "ms-exch-bypass-anti-spam":

    [PS] C:\windows\system32>Get-ReceiveConnector "connector name" | Add-ADPermission -user "NT AUTHORITY\Anonymous Logon" -ExtendedRights ms-exch-bypass-anti-spam

    Identity             User                 Deny  Inherited
    --------             ----                 ----  ---------
    Connector Name          NT AUTHORITY\ANON... False False



    Please remember to <b>mark the replies as answers</b> if they help. It will help other forum members to find the useful replies more easily, and inspire people to help each other.



    Wednesday, November 8, 2017 11:07 AM
    Owner

All replies

  • Anyone can send mail from outside your network to non-existent addresses, so why are you worried about inside users?


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Wednesday, November 1, 2017 3:03 AM
    Moderator
  • Hi,

    Thanks for contacting our forum.

    What do mean “from in my local network anyone can send non-exist Exchange address to my domain address”? Do you mean the From address is non-exist Exchange address or recipients’ addresses are non-exist Exchange address?

    I assume that it’s From part, we can also check the SMTP log to see which receive connector the message are using:

    We can remove the permission of the receive connector as below:

    Get-ReceiveConnector "connector name" | Get-ADPermission -user "NT AUTHORITY\Anonymous Logon" | where {$_.ExtendedRights -like "Ms-Exch-SMTP-Accept-Any-Sender"} | Remove-ADPermission

    Get-ReceiveConnector "connector name" | Get-ADPermission -user "NT AUTHORITY\Anonymous Logon" | where {$_.ExtendedRights -like "ms-exch-smtp-accept-authoritative-domain-sender"} | Remove-ADPermission

    Hope it helps.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 1, 2017 7:04 AM
    Moderator
  • Dear ED Crowley,

    In my environment I've a few bad boys (:D) and they send anonymously email without authentication to other recipient in my local network, for that I want block it.


    • Edited by Sadegh7 Wednesday, November 1, 2017 7:50 AM
    Wednesday, November 1, 2017 7:49 AM
  • This is one of those cases where my autosignature applies.

    If you can change your firewall so that all inbound mail comes from a single address, i.e., change it so that the source IP address isn't preserved, then you can create a new receive connector with AnonymousUsers in PermissionGroups and SourceIPRanges set to the IP address of mail from the Internet.  Then you can remove AnonymousUsers from the Default receive connector.  The downside of doing that is you won't be able to tell in Exchange where e-mail from the Internet is coming from.

    The best approach is to work with management to punish the offenders.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Wednesday, November 1, 2017 8:15 AM
    Moderator
  • Jason, that applies to relay, but my understanding is that the question is about submission.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Wednesday, November 1, 2017 8:16 AM
    Moderator
  • Thanks guys for response

    My Receive connector configuration: 

    [PS] D:\>Get-ReceiveConnector | Get-ADPermission -user "NT AUTHORITY\Anonymous Logon" | where {$_.ExtendedRights -like "ms-exch-smtp-accept-authoritative-domain-sender"} | fl

    Result:

    User                : NT AUTHORITY\ANONYMOUS LOGON

    Identity            : SRV-EXH-01\Default Frontend SRV-EXH-01
    Deny                : False
    AccessRights        : {ExtendedRight}
    IsInherited         : False
    Properties          :
    ChildObjectTypes    :
    InheritedObjectType :
    InheritanceType     : All

    User                : NT AUTHORITY\ANONYMOUS LOGON
    Identity            : SRV-EXH-01\Portal
    Deny                : False
    AccessRights        : {ExtendedRight}
    IsInherited         : False
    Properties          :
    ChildObjectTypes    :
    InheritedObjectType :
    InheritanceType     : All

    --

    [PS] D:\>Get-ReceiveConnector "SRV-EXH-01\Default Frontend SRV-EXH-01" | fl

    Result:

    RunspaceId                                : 94b7e726-d084-4eb2-b245-334edd4821fc
    AuthMechanism                             : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
    Banner                                    :
    BinaryMimeEnabled                         : True
    Bindings                                  : {[::]:25, 0.0.0.0:25}
    ChunkingEnabled                           : True
    DefaultDomain                             :
    DeliveryStatusNotificationEnabled         : True
    EightBitMimeEnabled                       : True
    SmtpUtf8Enabled                           : False
    BareLinefeedRejectionEnabled              : False
    DomainSecureEnabled                       : True
    EnhancedStatusCodesEnabled                : True
    LongAddressesEnabled                      : False
    OrarEnabled                               : False
    SuppressXAnonymousTls                     : False
    ProxyEnabled                              : False
    AdvertiseClientSettings                   : False
    Fqdn                                      : srv-exh-01.xxx.com
    ServiceDiscoveryFqdn                      :
    TlsCertificateName                        :
    Comment                                   :
    Enabled                                   : True
    ConnectionTimeout                         : 00:10:00
    ConnectionInactivityTimeout               : 00:05:00
    MessageRateLimit                          : 1000
    MessageRateSource                         : IPAddress
    MaxInboundConnection                      : 5000
    MaxInboundConnectionPerSource             : 20
    MaxInboundConnectionPercentagePerSource   : 2
    MaxHeaderSize                             : 256 KB (262,144 bytes)
    MaxHopCount                               : 60
    MaxLocalHopCount                          : 50
    MaxLogonFailures                          : 3
    MaxMessageSize                            : 30 MB (31,457,280 bytes)
    MaxProtocolErrors                         : 5
    MaxRecipientsPerMessage                   : 200
    PermissionGroups                          : AnonymousUsers, ExchangeServers, ExchangeLegacyServers, Custom
    PipeliningEnabled                         : True
    ProtocolLoggingLevel                      : Verbose
    RemoteIPRanges                            : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
    RequireEHLODomain                         : False
    RequireTLS                                : False
    EnableAuthGSSAPI                          : False
    ExtendedProtectionPolicy                  : None
    LiveCredentialEnabled                     : False
    TlsDomainCapabilities                     : {}
    Server                                    : SRV-EXH-01
    TransportRole                             : FrontendTransport
    RejectReservedTopLevelRecipientDomains    : False
    RejectReservedSecondLevelRecipientDomains : False
    RejectSingleLabelRecipientDomains         : False
    SizeEnabled                               : Enabled
    TarpitInterval                            : 00:00:05
    MaxAcknowledgementDelay                   : 00:00:30
    AdminDisplayName                          :
    ExchangeVersion                           : 0.1 (8.0.535.0)
    Name                                      : Default Frontend SRV-EXH-01
    DistinguishedName                         : CN=Default Frontend SRV-EXH-01,CN=SMTP Receive
                                                Connectors,CN=Protocols,CN=SRV-EXH-01,CN=Servers,CN=Exchange Administrative Group
                                                (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=xxx,CN=Microsoft
                                                Exchange,CN=Services,CN=Configuration,DC=xxx,DC=com
    Identity                                  : SRV-EXH-01\Default Frontend SRV-EXH-01
    Guid                                      : a3c09cfe-7212-468e-a784-c74961903c0d
    ObjectCategory                            : xxx.com/Configuration/Schema/ms-Exch-Smtp-Receive-Connector
    ObjectClass                               : {top, msExchSmtpReceiveConnector}
    WhenChanged                               : 10/30/2017 1:46:31 PM
    WhenCreated                               : 12/27/2016 12:28:55 PM
    WhenChangedUTC                            : 10/30/2017 10:16:31 AM
    WhenCreatedUTC                            : 12/27/2016 8:58:55 AM
    OrganizationId                            :
    Id                                        : SRV-EXH-01\Default Frontend SRV-EXH-01
    OriginatingServer                         : SRV-DC-01.xxx.com
    IsValid                                   : True
    ObjectState                               : Unchanged


    [PS] D:\>Get-ReceiveConnector "Portal" | fl

    Result:

    RunspaceId                                : 94b7e726-d084-4eb2-b245-334edd4821fc
    AuthMechanism                             : Tls
    Banner                                    :
    BinaryMimeEnabled                         : True
    Bindings                                  : {0.0.0.0:25}
    ChunkingEnabled                           : True
    DefaultDomain                             :
    DeliveryStatusNotificationEnabled         : True
    EightBitMimeEnabled                       : True
    SmtpUtf8Enabled                           : False
    BareLinefeedRejectionEnabled              : False
    DomainSecureEnabled                       : False
    EnhancedStatusCodesEnabled                : True
    LongAddressesEnabled                      : False
    OrarEnabled                               : False
    SuppressXAnonymousTls                     : False
    ProxyEnabled                              : False
    AdvertiseClientSettings                   : False
    Fqdn                                      : srv-exh-01.xxx.com
    ServiceDiscoveryFqdn                      :
    TlsCertificateName                        :
    Comment                                   :
    Enabled                                   : True
    ConnectionTimeout                         : 00:10:00
    ConnectionInactivityTimeout               : 00:05:00
    MessageRateLimit                          : Unlimited
    MessageRateSource                         : IPAddress
    MaxInboundConnection                      : 5000
    MaxInboundConnectionPerSource             : 20
    MaxInboundConnectionPercentagePerSource   : 2
    MaxHeaderSize                             : 256 KB (262,144 bytes)
    MaxHopCount                               : 60
    MaxLocalHopCount                          : 12
    MaxLogonFailures                          : 3
    MaxMessageSize                            : 36 MB (37,748,736 bytes)
    MaxProtocolErrors                         : 5
    MaxRecipientsPerMessage                   : 200
    PermissionGroups                          : AnonymousUsers, Custom
    PipeliningEnabled                         : True
    ProtocolLoggingLevel                      : None
    RemoteIPRanges                            : {192.168.0.100, 101.168.0.102, 192.168.0.103, 192.168.0.104}
    RequireEHLODomain                         : False
    RequireTLS                                : False
    EnableAuthGSSAPI                          : False
    ExtendedProtectionPolicy                  : None
    LiveCredentialEnabled                     : False
    TlsDomainCapabilities                     : {}
    Server                                    : SRV-EXH-01
    TransportRole                             : FrontendTransport
    RejectReservedTopLevelRecipientDomains    : False
    RejectReservedSecondLevelRecipientDomains : False
    RejectSingleLabelRecipientDomains         : False
    SizeEnabled                               : Enabled
    TarpitInterval                            : 00:00:05
    MaxAcknowledgementDelay                   : 00:00:30
    AdminDisplayName                          :
    ExchangeVersion                           : 0.1 (8.0.535.0)
    Name                                      : Portal
    DistinguishedName                         : CN=Portal,CN=SMTP Receive Connectors,CN=Protocols,CN=SRV-EXH-01,CN=Servers,CN=Exchange Administrative
                                                Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=xxx,CN=Microsoft
                                                Exchange,CN=Services,CN=Configuration,DC=xxx,DC=com
    Identity                                  : SRV-EXH-01\Portal
    Guid                                      : 0015e203-0d99-4efd-907d-56ffc5c2666b
    ObjectCategory                            : xxx.com/Configuration/Schema/ms-Exch-Smtp-Receive-Connector
    ObjectClass                               : {top, msExchSmtpReceiveConnector}
    WhenChanged                               : 10/30/2017 1:32:33 PM
    WhenCreated                               : 3/28/2017 3:10:14 PM
    WhenChangedUTC                            : 10/30/2017 10:02:33 AM
    WhenCreatedUTC                            : 3/28/2017 10:40:14 AM
    OrganizationId                            :
    Id                                        : SRV-EXH-01\Portal
    OriginatingServer                         : SRV-DC-01.xxx.com
    IsValid                                   : True
    ObjectState                               : Unchanged








    • Edited by Sadegh7 Wednesday, November 1, 2017 11:18 AM
    Wednesday, November 1, 2017 8:56 AM
  • Track their email and find out the connector they are using

    if it is below, it is allowed to receive emails from anonymous. I think your internet receive connector should be different which needs anonymous users allowed but this is default front end. you may have to test

    "SRV-EXH-01\Default Frontend SRV-EXH-01"

    Thanks & Regards Ramandeep Singh

    Wednesday, November 1, 2017 11:30 AM
  • Ramandeep Singh,

    The "SRV-EXH-01\Default Frontend SRV-EXH-01" is used to accept external email. It has anonymous enabled and open for all IP ranges. This is also required so it can accept emails from the internet and we need to disable anonymous relay and create a receive connectors by allowing specific IP Address.

    Wednesday, November 1, 2017 12:27 PM
  • Hi Sadegh7,

    Do you mean you don't need the "SRV-EXH-01\Default Frontend SRV-EXH-01" to receive external emails and create specific receive connector for specific external domain or IP?

    If the bad boy are internal, they do not use this connector per my experience.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Friday, November 3, 2017 2:37 AM
    Moderator
  • Dear Jason.Chao

    Do you mean you don't need the "SRV-EXH-01\Default Frontend SRV-EXH-01" to receive external emails ?No, I don't that mean. I Received external Email and it's not issue. I said everyone can send email from mydomain to mydomain without authentication and that's my issue.


    • Edited by Sadegh7 Saturday, November 4, 2017 12:30 PM
    Friday, November 3, 2017 6:32 PM
  • Can anyone help me?

    Sunday, November 5, 2017 6:42 AM
  • Dear ED Crowley,

    In my environment I've a few bad boys (:D) and they send anonymously email without authentication to other recipient in my local network, for that I want block it.


    How did you notice that the bad boys are from your environment other than external? If you noticed the spams were from internal IP or clients, just check who used them. :)

    Please remember to <b>mark the replies as answers</b> if they help. It will help other forum members to find the useful replies more easily, and inspire people to help each other.

    Monday, November 6, 2017 9:18 AM
    Owner
  • Guys for example my domain is star.com

    Everyone in my local domain can send anything email address without authentication (belabela@star.com to all existing email address in star.com ).

    I want block send email without authentication from my domain address  to my domain address.

    Monday, November 6, 2017 12:50 PM
  • Then I understand your problem. In my organization, I implemented the solution to avoid such problems by using sender filter agent and removing the ms-Exch-SMTP-Accept-Any-Sender from anonymous users. 

    ->Install Spam Agent on Exchange 2013 Mailbox Server
    ->Block our local domain:
    Set-SenderFilterConfig -BlockedDomains mydomain.com
    Set-SenderFilterConfig -InternalMailEnabled $true

    ->Remove ms-Exch-SMTP-Accept-Any-Sender for anonymous user on the Default Frontend EXSrv:
    Get-ReceiveConnector "name of the internet receive connector" | Get-ADPermission -user "NT AUTHORITY\Anonymous Logon" | where {$_.ExtendedRights -like "ms-Exch-SMTP-Accept-Any-Sender"} | Remove-ADPermission

    ->Restart Frontend Transport service on CAS role.

    I was able to send email using non-existed domain account, but no longer to do the same after above steps.

    Please remember to <b>mark the replies as answers</b> if they help. It will help other forum members to find the useful replies more easily, and inspire people to help each other.

    • Marked as answer by Sadegh7 Sunday, November 12, 2017 7:26 AM
    Tuesday, November 7, 2017 10:38 AM
    Owner
  • That solution stops unauthenticated senders from relaying but does it stop them from submitting mail to internal recipients?  That was the request, right?

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Tuesday, November 7, 2017 3:32 PM
    Moderator
  • Anonymous relay was not configured for this Default Frontend ExSrv Receive Connector.

    The way above stops the internal recipients from receiving such spam emails.

    Actually, unauthenticated senders can still submit mails, but Sender Filter Agent will block the sender then. Thus such mails won't be able to go to the recipients' mailboxes:

    In SMTP log:
    2017-11-08T01:52:00.126Z,E15CAS\Default Frontend E15CAS,08D525C24266ACE6,46,192.168.2.55:25,192.168.2.54:62814,>,250 2.1.0 Sender OK,
    2017-11-08T01:52:00.126Z,E15CAS\Default Frontend E15CAS,08D525C24266ACE6,47,192.168.2.55:25,192.168.2.54:62814,<,RCPT TO:<user@mydomain.com>,
    2017-11-08T01:52:00.126Z,E15CAS\Default Frontend E15CAS,08D525C24266ACE6,48,192.168.2.55:25,192.168.2.54:62814,>,250 2.1.5 Recipient OK,
    2017-11-08T01:52:00.142Z,E15CAS\Default Frontend E15CAS,08D525C24266ACE6,49,192.168.2.55:25,192.168.2.54:62814,<,DATA,
    2017-11-08T01:52:00.142Z,E15CAS\Default Frontend E15CAS,08D525C24266ACE6,50,192.168.2.55:25,192.168.2.54:62814,>,354 Start mail input; end with <CRLF>.<CRLF>,
    2017-11-08T01:52:00.142Z,E15CAS\Default Frontend E15CAS,08D525C24266ACE6,51,192.168.2.55:25,192.168.2.54:62814,*,,Proxy destination(s) obtained from OnProxyInboundMessage event
    2017-11-08T01:52:00.282Z,E15CAS\Default Frontend E15CAS,08D525C24266ACE6,52,192.168.2.55:25,192.168.2.54:62814,*,Tarpit for '0.00:00:05' due to '554 5.1.0 Sender denied',
    2017-11-08T01:52:05.281Z,E15CAS\Default Frontend E15CAS,08D525C24266ACE6,53,192.168.2.55:25,192.168.2.54:62814,>,554 5.1.0 Sender denied,

    In Agent log:
    2017-11-08T01:52:00.170Z,08D521C18B526C13,192.168.2.51:25,192.168.2.54:62814,192.168.2.54,,unknownl@mydomain.com,,,0,Sender Filter Agent,OnMailCommand,RejectCommand,554 5.1.0 Sender denied,DomainMatch,mydomain.com,,,,Undefined 


    Please remember to <b>mark the replies as answers</b> if they help. It will help other forum members to find the useful replies more easily, and inspire people to help each other.


    Wednesday, November 8, 2017 2:19 AM
    Owner
  • This is the only solution I can think to do that.

    1. Deploy an SMTP relay server in your DMZ and disallow access to it from internal systems.  An Exchange Edge role server would be a good choice for this.  Configure it to route inbound mail to the Exchange server.

    2.  Create a receive connector on your Exchange server that allows anonymous users access but only accepts mail (RemoteIPRanges) from the IP address of that relay server.

    3.  Change your MX record to point inbound mail to that server or change your NAT mapping so that inbound mail goes to the relay server.

    4.  Remove AnonymousUsers from the PermissionGroups of all other receive connectors on the Exchange server.

    If you choose to do this, you'll probably want to route your outbound mail through the relay server as well.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!


    Wednesday, November 8, 2017 2:32 AM
    Moderator
  • First of all Thanks Guys

    Dear Jessie_Yuan,

    The SenderFilterConfig is configured and that's work.how to add exceptions for sender filtering? (I need it for send email notification Apps (For exam: Solarwinds, PRTG, ... )) , Now my apps monitoring, couldn't send email notification.

    Wednesday, November 8, 2017 9:41 AM
  • You can configure a custom receive connector for the APPs(if they have specific IP ranges), then bypass the sender filter agent by adding the permission "ms-exch-bypass-anti-spam":

    [PS] C:\windows\system32>Get-ReceiveConnector "connector name" | Add-ADPermission -user "NT AUTHORITY\Anonymous Logon" -ExtendedRights ms-exch-bypass-anti-spam

    Identity             User                 Deny  Inherited
    --------             ----                 ----  ---------
    Connector Name          NT AUTHORITY\ANON... False False



    Please remember to <b>mark the replies as answers</b> if they help. It will help other forum members to find the useful replies more easily, and inspire people to help each other.



    Wednesday, November 8, 2017 11:07 AM
    Owner
  • Thanks Guys.

    • Marked as answer by Sadegh7 Sunday, November 12, 2017 7:27 AM
    • Unmarked as answer by Sadegh7 Sunday, November 12, 2017 7:27 AM
    Sunday, November 12, 2017 7:27 AM