none
Distribution List and Spoofing

    Question

  • I have come across a lot of companies using Exchange distribution list when multiple companies need to collaborate by adding external users to contact and then to the distribution list.

    The issue is that when external contact send emails to the distribution list, it will be re-sent as that user by the outside company's email server and will be marked as spoofed email by most spam filters.  White listing would allow that external server to send spoofed emails unblocked and unchecked which is not very good for today's environment.

    Any way for Exchange to 1) copy the FROM to CC and 2) re-write the FROM as the distribution group's email address.  I've been informed that some linux system can do this to prevent the spoofing issue.

    Besides this,

    Don't use distribution list so manually add like 5 to 30+ email address in the TO fields (not practical)

    White list the sending server (bad practice, red flag)

    Thursday, October 5, 2017 9:24 PM

All replies

  • Hi

    If you have created a contact for external user and added it to the Distribution List. Check what are the email addresses of the Distribution list. If the contact's email address domain is not in the email addresses of the Distribution group and also not a part of your accepted domains, these emails will be considered inbound and will not get blocked as spoof.

    let me know if there is any doubt or if i understand otherwise


    Thanks & Regards Ramandeep Singh


    Friday, October 6, 2017 2:50 AM
  • Example:

    distribution list = news@mydomain.com (mydomain.com is the accepted primary domain hosted by Exchange)

    users =

    joe@mydomain.com

    fred@mydomain.com

    sandy@newdomain.com

    julie@newdomain.com

    Joe & fred send email to News just fine.

    If Julie send email to News, Sandy will receive email as spoofed since received email is from Mydomain.com but the from address appears as "julie@newdomain.com (news@mydomain.com)

    Our email filter checks all incoming emails on all from fields for newdomain.com using regex so these are getting trapped.

    Tuesday, October 10, 2017 10:59 PM
  • Thanks for your information

    Most likely because the email is coming from a domain it doesn't recognize as being able to send from your IP address. It is seeing the From address of the original sender and believes your server is spoofing it.

    Not really a lot you can do about it. Rewrite the headers so that the email comes from the group would be about the only option, but then replying to the email will be difficult.

    Hope it helps.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 16, 2017 6:01 AM
    Moderator
  • Hi,

    I am currently standing by for further update from you and would like to know how things are going. Please check if the reply helps you, if it helps please help to mark as answer.

    Thanks for your time.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 1, 2017 9:29 AM
    Moderator
  • Why would replying to the email be difficult? He listed the CC as one option, but in a distribution list, especially one set up as a discussion list, by default you WANT all the communications to go to all the members. Why wouldn't we want that as an option at least?

    Is there a PowerShell command to change the send from an address on a distribution list, or even Office 365 group? 

     Thanks!

    --Shawn

    Tuesday, May 22, 2018 6:22 PM
  • Hi Shawn,

    have a look at SetFrom tool.


    Exchange and Outlook utilities at
    https://www.ivasoft.com

    Tuesday, June 5, 2018 9:41 AM