none
Ho to prevent spam from authenticated users?

    Question

  • Hi guys, I'm having some issues lately with users getting their smartphones infected anse sending a lot of spam to external addresses via our exchange system. This leads to blacklisting and mass hysteria... Our antispam system (fortimail) doesn't have a subsmission rate control and MS applies the native one only to SMTP submission it seems.

    What do you do to prevent that kind of trouble? I cannot control user's devices, we let them use their own.

    PS

    Lowering the recipient rate could help but could backfire (prevent legit emails) while spam softwares could easily send more mails with less recipients to avoid being blocked.

    Bye, Dario


    Dario Palermo


    • Edited by Dario Palermo Monday, March 18, 2019 9:42 PM missed the ? in the question
    Monday, March 18, 2019 9:41 PM

Answers

  • Hi Dario,

    Thanks for your update.

    Yes, I know that SPF is not relevant to your situation. I just want to clarify that on-premises Exchange uses those records to detect outbound messages, but they can't totally prevent spam. To address your issue, you might need a more elegant antispam solution.

    Regards,

    Dawn Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    • Marked as answer by Dario Palermo Monday, April 8, 2019 3:16 PM
    Monday, April 8, 2019 9:46 AM
    Moderator

All replies

  • Hi Dario,

    As per my experience, it is difficult to avoid spoofing completely. However, you can try the following methods to alleviate the issue.

    1. Add SPF record to a list of IP addresses which are authorized to send emails from a domain. Or use a dedicated receive connector that limits the IP range to your LAN network. For step-by-step walkthrough, you can refer to How to prevent internal email spoofing in an Exchange organization

    Please note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information. And the changes made in the above blog is not supported officially by Microsoft.

    2. Add DKIM and DMARC record. There are chances these authorized servers on SPF list can be compromised and spoofed messages can be sent. DKIM is a process through which the recipient domain can validate and ensure that the messages are originated from the actual domain sender and was not spoofed message. 


    Regards,

    Dawn Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Tuesday, March 19, 2019 7:54 AM
    Moderator
  • That's not my case... the spam emails are not spoofed because they are sent from the legitimate clients via the valid user account. Even worse, sending devices are user's smartphone and not company's workstations (that have endpoint control suite and such on them).

    Bye


    Dario Palermo

    Tuesday, March 19, 2019 8:30 AM
  • Hi Dario,

    Well. If the spam are coming from infected device, I'd remove mailbox account from the device, disconnect the device from network, change the account password in AD, wipe all contents and settings on the device and reinstall it from scratch. Moreover, I might also change the firewall passes.

    Regards,

    Dawn Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams

    Sunday, March 24, 2019 2:52 PM
    Moderator
  • Hi Dawn, thank you for your reply. Your suggestions are all about remediation and not prevention. And some of them I cannot even apply (personal smartphones are not in my management domain so I can only do some of the actions you suggested).

    PS

    Why should I change the firewall passes (passwords?)? They send spam from outside my company network, via public connections to our public-exposed exchange server, using activesync or Outlook on the web.

    bye


    Dario Palermo

    Sunday, March 24, 2019 4:35 PM
  • Hi Dawn, thank you for your reply. Your suggestions are all about remediation and not prevention. And some of them I cannot even apply (personal smartphones are not in my management domain so I can only do some of the actions you suggested).

    PS

    Why should I change the firewall passes (passwords?)? They send spam from outside my company network, via public connections to our public-exposed exchange server, using activesync or Outlook on the web.

    bye


    Dario Palermo

    If this is about prevention then you need to be able to control their mobile devices, otherwise everything you are asking for is remediation. How do the mobile devices become infected? 

    Sunday, March 24, 2019 4:46 PM
  • From my perspective, it's prevention. I need to prevent the spam from being accepted by my server and subsequently sent out (mainly) to external recipient.

    I could have infected users or also deliberately spamming users, that doesn't matter in the end. I would like to control the mail flow even when it's source it's authenticated.

    Ps

    cannot tell how their smartphones became infected, it's their personal devices we're talking about.

    Bye


    Dario Palermo

    Monday, March 25, 2019 8:19 AM
  • Hi Dario,

    As you said, the issue is caused by infected mobile devices, and these message are sent from legitimate clients and valid accounts. Hence, the effective prevention is to prevent the mobile device from being infected.

    Regards,

    Dawn Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams

    Thursday, March 28, 2019 4:34 PM
    Moderator
  • Hi Dawn,

    that's your opinion and a very limiting (and highly often unappliable) solution. Every free or paid mail provider has it's own outgoing mail detection systems (for their legitimate and authenticated users) to prevent being a spam source. Outlook 365 has them, Exchange hasn't. Another subtle push from Microsoft towards it's cloud services, probably...

    I'll look into third party antispam solutions (other than the one I've already got today), anyway.

    Bye


    Dario Palermo

    Thursday, March 28, 2019 5:29 PM
  • Hi Dario,

    For Exchange on-premises, SPF and DMARC record can detect the spam source to a certain degree. They are a part of the Exchange antispam. You can create SPF and DMARC records, or use the third party solution for antispam.

    Sender ID

    Regards,

    Dawn Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Wednesday, April 3, 2019 2:00 AM
    Moderator
  • Hi Dawn

    both SPF and DMARC are irrelevant in this case as the spam travels thru our legitimate exchange servers: the DMARC signature is applied and the SPF record match.

    Probably the only solution is the third party antispam but the lack of basic flow control in Exchange  is astonighing.

    Bye


    Dario Palermo

    Wednesday, April 3, 2019 8:33 AM
  • Hi Dario,

    Thanks for your update.

    Yes, I know that SPF is not relevant to your situation. I just want to clarify that on-premises Exchange uses those records to detect outbound messages, but they can't totally prevent spam. To address your issue, you might need a more elegant antispam solution.

    Regards,

    Dawn Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    • Marked as answer by Dario Palermo Monday, April 8, 2019 3:16 PM
    Monday, April 8, 2019 9:46 AM
    Moderator
  • SPF is a DNS based solution, totally independent from the mail server software, just to be precise.

    Anyway, thanks for the time, it's always nice to receive support or advice even when the problem get not solved.

    I'll mark your latest as answer to this.

    Bye


    Dario Palermo

    Monday, April 8, 2019 3:16 PM