locked
How to block source email address spoofs? RRS feed

  • Question

  • Hi Guys/Girls,

    I have a quick question which I hope won't be too out there. We have exchange 2010 server which has email filtered by a 3rd party. Exchange 2010 can only receive email via the internet from this service.(Firewall rules block all other access). Internally the server has a receive connector that only allows connectivity from inside addresses.

    What we are seeing is that someone is spoofing one of our domain addresses(probably grabbed it from our website) and sending emails to other staff members. I.E. joe@contoso.com appears to be the recipient when it is quite obvious that he isn't.

    Changing the recieve connector to disable anonymous users in this case won't stop it as our filter still lets it through(as the only source). So I was hoping I could somehow write a rule that would:

    • Block emails sent from something@contoso.com (our users connect to the mail server directly via VPN and will never send externally via the filter)

    Perhaps I'm looking at this the wrong way? Should I be attacking this problem differently?

    Sunday, July 10, 2016 10:38 PM

Answers

  • Hi,

    Agree with Ed, you can also check the related receive connectors on your Exchange server, if the extended right “ms-exch-smtp-accept-any-sender” exist on them.

    ms-Exch-SMTP-Accept-Any-Sender : This permission allows the session to bypass the sender address spoofing check.

    You can use the following command to check:

    Get-receiveconnector “connector name” | get-adpermission | select user, extendedrights

    If exists, we can use the following command to remove it:

    Get-ReceiveConnector "connector name" | Remove-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Sender"

    Hope it helps.

    Best regards,


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, July 12, 2016 3:08 AM
    Moderator

All replies

  • The best way is with a third-party message hygiene server, appliance or cloud service.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Sunday, July 10, 2016 11:38 PM
  • Hi,

    Agree with Ed, you can also check the related receive connectors on your Exchange server, if the extended right “ms-exch-smtp-accept-any-sender” exist on them.

    ms-Exch-SMTP-Accept-Any-Sender : This permission allows the session to bypass the sender address spoofing check.

    You can use the following command to check:

    Get-receiveconnector “connector name” | get-adpermission | select user, extendedrights

    If exists, we can use the following command to remove it:

    Get-ReceiveConnector "connector name" | Remove-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Sender"

    Hope it helps.

    Best regards,


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, July 12, 2016 3:08 AM
    Moderator