none
Unauthorized senders are able to send email RRS feed

  • Question

  • Hi!  We are SBS 2011 running exchange 2010 SP2.  Over the weekend, we had a situation where a spammer successfully sent an email from an external location by using the email address of a real user in our company and connecting directly to our internet receive connector as a client to deliver the email.  How do I seal up this security hole while still allowing our email server to receive emails from the internet? 

     

    Below is the header and the exchange logs for the email.

     

    HEADER

    Received: from 5acd7870.bb.sky.com (90.205.120.112) by mx1.MYDOMAIN.local

     (192.168.25.101) with Microsoft SMTP Server id 14.2.247.3; Sun, 2 Mar 2014

     08:49:32 -0500

    Received: from (192.168.1.172) by nacha.org (90.205.120.112) with Microsoft

     SMTP Server id 8.0.685.24; Sun, 2 Mar 2014 13:49:28 +0000

    Message-ID: <53133283.802030@nacha.org>

    Date: Sun, 2 Mar 2014 13:49:28 +0000

    From: <mfish@MYDOMAIN.com>

    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101103 Thunderbird/3.1.6

    MIME-Version: 1.0

    To: <jobs@MYDOMAIN.com>, <john@MYDOMAIN.com>, <julie@MYDOMAIN.com>,

                    <kyle@MYDOMAIN.com>, <lara@MYDOMAIN.com>

    Subject: Can't solve special women's problems? Let us do it.

    Content-Type: multipart/alternative;

                    boundary="------------09010700509030706050901"

    Return-Path: mfish@MYDOMAIN.com

    X-MS-Exchange-Organization-AuthSource: MX1.MYDOMAIN.local

    X-MS-Exchange-Organization-AuthAs: Anonymous

    X-MS-Exchange-Organization-AVStamp-Mailbox: SYMANTEC;509739200;0;info

     

    EXCHANGE LOG FOR THIS EMAIL:

    2014-03-02T13:49:32.138Z,MX1\Windows SBS Internet Receive MX1,08D0F4B41F5AC845,1,192.168.25.101:25,90.205.120.112:62796,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions

    2014-03-02T13:49:32.139Z,MX1\Windows SBS Internet Receive MX1,08D0F4B41F5AC845,2,192.168.25.101:25,90.205.120.112:62796,>,"220 mx1.MYDOMAIN.local Microsoft ESMTP MAIL Service ready at Sun, 2 Mar 2014 08:49:31 -0500",

    2014-03-02T13:49:32.257Z,MX1\Windows SBS Internet Receive MX1,08D0F4B41F5AC845,3,192.168.25.101:25,90.205.120.112:62796,<,EHLO 5acd7870.bb.sky.com,

    2014-03-02T13:49:32.258Z,MX1\Windows SBS Internet Receive MX1,08D0F4B41F5AC845,4,192.168.25.101:25,90.205.120.112:62796,>,250-mx1.MYDOMAIN.local Hello [90.205.120.112],

    2014-03-02T13:49:32.258Z,MX1\Windows SBS Internet Receive MX1,08D0F4B41F5AC845,5,192.168.25.101:25,90.205.120.112:62796,>,250-SIZE 36577280,

    2014-03-02T13:49:32.258Z,MX1\Windows SBS Internet Receive MX1,08D0F4B41F5AC845,6,192.168.25.101:25,90.205.120.112:62796,>,250-PIPELINING,

    2014-03-02T13:49:32.258Z,MX1\Windows SBS Internet Receive MX1,08D0F4B41F5AC845,7,192.168.25.101:25,90.205.120.112:62796,>,250-DSN,

    2014-03-02T13:49:32.258Z,MX1\Windows SBS Internet Receive MX1,08D0F4B41F5AC845,8,192.168.25.101:25,90.205.120.112:62796,>,250-ENHANCEDSTATUSCODES,

    2014-03-02T13:49:32.258Z,MX1\Windows SBS Internet Receive MX1,08D0F4B41F5AC845,9,192.168.25.101:25,90.205.120.112:62796,>,250-STARTTLS,

    2014-03-02T13:49:32.258Z,MX1\Windows SBS Internet Receive MX1,08D0F4B41F5AC845,10,192.168.25.101:25,90.205.120.112:62796,>,250-X-ANONYMOUSTLS,

    2014-03-02T13:49:32.258Z,MX1\Windows SBS Internet Receive MX1,08D0F4B41F5AC845,11,192.168.25.101:25,90.205.120.112:62796,>,250-AUTH NTLM,

    2014-03-02T13:49:32.258Z,MX1\Windows SBS Internet Receive MX1,08D0F4B41F5AC845,12,192.168.25.101:25,90.205.120.112:62796,>,250-X-EXPS GSSAPI NTLM,

    2014-03-02T13:49:32.258Z,MX1\Windows SBS Internet Receive MX1,08D0F4B41F5AC845,13,192.168.25.101:25,90.205.120.112:62796,>,250-8BITMIME,

    2014-03-02T13:49:32.258Z,MX1\Windows SBS Internet Receive MX1,08D0F4B41F5AC845,14,192.168.25.101:25,90.205.120.112:62796,>,250-BINARYMIME,

    2014-03-02T13:49:32.258Z,MX1\Windows SBS Internet Receive MX1,08D0F4B41F5AC845,15,192.168.25.101:25,90.205.120.112:62796,>,250-CHUNKING,

    2014-03-02T13:49:32.258Z,MX1\Windows SBS Internet Receive MX1,08D0F4B41F5AC845,16,192.168.25.101:25,90.205.120.112:62796,>,250-XEXCH50,

    2014-03-02T13:49:32.258Z,MX1\Windows SBS Internet Receive MX1,08D0F4B41F5AC845,17,192.168.25.101:25,90.205.120.112:62796,>,250-XRDST,

    2014-03-02T13:49:32.258Z,MX1\Windows SBS Internet Receive MX1,08D0F4B41F5AC845,18,192.168.25.101:25,90.205.120.112:62796,>,250 XSHADOW,

    2014-03-02T13:49:32.391Z,MX1\Windows SBS Internet Receive MX1,08D0F4B41F5AC845,19,192.168.25.101:25,90.205.120.112:62796,<,MAIL FROM: <mfish@MYDOMAIN.com> BODY=7BIT,

    2014-03-02T13:49:32.392Z,MX1\Windows SBS Internet Receive MX1,08D0F4B41F5AC845,20,192.168.25.101:25,90.205.120.112:62796,*,08D0F4B41F5AC845;2014-03-02T13:49:32.138Z;1,receiving message

    2014-03-02T13:49:32.392Z,MX1\Windows SBS Internet Receive MX1,08D0F4B41F5AC845,21,192.168.25.101:25,90.205.120.112:62796,<,RCPT TO:<jobs@MYDOMAIN.com>,

    2014-03-02T13:49:32.426Z,MX1\Windows SBS Internet Receive MX1,08D0F4B41F5AC845,22,192.168.25.101:25,90.205.120.112:62796,>,250 2.1.0 Sender OK,

    2014-03-02T13:49:32.426Z,MX1\Windows SBS Internet Receive MX1,08D0F4B41F5AC845,23,192.168.25.101:25,90.205.120.112:62796,>,250 2.1.5 Recipient OK,

    2014-03-02T13:49:32.426Z,MX1\Windows SBS Internet Receive MX1,08D0F4B41F5AC845,24,192.168.25.101:25,90.205.120.112:62796,<,RCPT TO:<john@MYDOMAIN.com>,

    2014-03-02T13:49:32.428Z,MX1\Windows SBS Internet Receive MX1,08D0F4B41F5AC845,25,192.168.25.101:25,90.205.120.112:62796,<,RCPT TO:<julie@MYDOMAIN.com>,

    2014-03-02T13:49:32.437Z,MX1\Windows SBS Internet Receive MX1,08D0F4B41F5AC845,26,192.168.25.101:25,90.205.120.112:62796,<,RCPT TO:<kyle@MYDOMAIN.com>,

    2014-03-02T13:49:32.439Z,MX1\Windows SBS Internet Receive MX1,08D0F4B41F5AC845,27,192.168.25.101:25,90.205.120.112:62796,<,RCPT TO:<lara@MYDOMAIN.com>,

    2014-03-02T13:49:32.449Z,MX1\Windows SBS Internet Receive MX1,08D0F4B41F5AC845,28,192.168.25.101:25,90.205.120.112:62796,<,DATA,

    2014-03-02T13:49:32.450Z,MX1\Windows SBS Internet Receive MX1,08D0F4B41F5AC845,29,192.168.25.101:25,90.205.120.112:62796,>,250 2.1.5 Recipient OK,

    2014-03-02T13:49:32.450Z,MX1\Windows SBS Internet Receive MX1,08D0F4B41F5AC845,30,192.168.25.101:25,90.205.120.112:62796,>,250 2.1.5 Recipient OK,

    2014-03-02T13:49:32.450Z,MX1\Windows SBS Internet Receive MX1,08D0F4B41F5AC845,31,192.168.25.101:25,90.205.120.112:62796,>,250 2.1.5 Recipient OK,

    2014-03-02T13:49:32.450Z,MX1\Windows SBS Internet Receive MX1,08D0F4B41F5AC845,32,192.168.25.101:25,90.205.120.112:62796,>,250 2.1.5 Recipient OK,

    2014-03-02T13:49:32.450Z,MX1\Windows SBS Internet Receive MX1,08D0F4B41F5AC845,33,192.168.25.101:25,90.205.120.112:62796,>,354 Start mail input; end with <CRLF>.<CRLF>,

    2014-03-02T13:49:34.832Z,MX1\Windows SBS Internet Receive MX1,08D0F4B41F5AC845,34,192.168.25.101:25,90.205.120.112:62796,*,Tarpit for '0.00:00:02.305' due to 'DelayedAck',Delivered

    2014-03-02T13:49:34.832Z,MX1\Windows SBS Internet Receive MX1,08D0F4B41F5AC845,35,192.168.25.101:25,90.205.120.112:62796,>,250 2.6.0 <53133283.802030@nacha.org> [InternalId=1676278] Queued mail for delivery,

    2014-03-02T13:49:34.951Z,MX1\Windows SBS Internet Receive MX1,08D0F4B41F5AC845,36,192.168.25.101:25,90.205.120.112:62796,<,QUIT,

    2014-03-02T13:49:34.951Z,MX1\Windows SBS Internet Receive MX1,08D0F4B41F5AC845,37,192.168.25.101:25,90.205.120.112:62796,>,221 2.0.0 Service closing transmission channel,

    2014-03-02T13:49:34.951Z,MX1\Windows SBS Internet Receive MX1,08D0F4B41F5AC845,38,192.168.25.101:25,90.205.120.112:62796,-,,Local

    Monday, March 3, 2014 4:05 PM

Answers

  • What you are seeing is spoofed email.  In order to stop it, you can create a Transport Rule that blocks items from senders outside your organization that have the FROM address that matches your MYDOMAIN.COM domain.  Test this to be sure it works - also, if you have other systems (besides Exchange) that send email to your system, you will need to figure out how to trust those systems (or you can ensure they don't send with MYDOMAIN.COM addresses).
    Monday, March 3, 2014 4:31 PM
  • It will apply to all senders. Though I would be hesitant to use a rule for this that will generate NDRs back to spoofed senders 

    You really should be using a anti-spam product that will prevent spoofing at the gateway level and blocking the connection at the SMTP conversation level. Doesnt SBS already have anti-spam enabled?



    Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Monday, March 3, 2014 5:54 PM
    Moderator

All replies

  • What you are seeing is spoofed email.  In order to stop it, you can create a Transport Rule that blocks items from senders outside your organization that have the FROM address that matches your MYDOMAIN.COM domain.  Test this to be sure it works - also, if you have other systems (besides Exchange) that send email to your system, you will need to figure out how to trust those systems (or you can ensure they don't send with MYDOMAIN.COM addresses).
    Monday, March 3, 2014 4:31 PM
  • Hello! Are you sure that user's password was not compromised?

    Thank you

    Monday, March 3, 2014 4:34 PM
  • I'll make sure the user changes his password just to be sure.

    I don't see how to make a connector that restricts emails based on the "FROM" field in the email. 

    The Windows SBS Internet Receive connector has the following properties enabled:

    Authentication Tab - all authentication mechanisms are enabled except for "Externally Secured"

    Permission Groups - all boxes are checked except for "Partners"

    Should I uncheck all boxes on the Authentication Tab, and all boxes on the Permission Groups tab except for "Anonymous"?  I do have a connector set up Authenticated external users to connect to....

    Thanks!


    • Edited by v2kmccl Monday, March 3, 2014 4:50 PM
    Monday, March 3, 2014 4:47 PM
  • Not a connector - a transport rule.  Go to Organization Configuration, then Hub Transport.  Here you will see "New Transport Rule" in the Actions pane (on the far right)
    Monday, March 3, 2014 4:50 PM
  • OK.  I realize you were speaking about a transport rule now.  In the Transport rule properties, I'm creating this setup.  Is this what you are talking about?

    Apply rule to messages

    from users that are 'Oustide the organization'

    and when the From address contains 'MYDOMAIN.COM'

    send 'Bounced from Custom Transport rule to sender with '5.7.1'

    Will this rule just apply to the Windows SBS Internet Receive connector or to all connectors?

    Thanks!

    Monday, March 3, 2014 5:16 PM
  • It will apply to all senders. Though I would be hesitant to use a rule for this that will generate NDRs back to spoofed senders 

    You really should be using a anti-spam product that will prevent spoofing at the gateway level and blocking the connection at the SMTP conversation level. Doesnt SBS already have anti-spam enabled?



    Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Monday, March 3, 2014 5:54 PM
    Moderator
  • Yes, we have Mail security from Symantec.  I will take this up with them to find out why these emails are slipping through.  Thanks!
    Monday, March 3, 2014 5:56 PM
  • Actually, in the transport rule, you will drop it and not send a response.  That would complete the setup so that you can ignore their messages and they don't know that their emails weren't being delivered.
    Monday, March 3, 2014 6:19 PM
  • Actually, in the transport rule, you will drop it and not send a response.  That would complete the setup so that you can ignore their messages and they don't know that their emails weren't being delivered.

    But you are still accepting the message, so IMO, its better to drop it at the gateway level. Just my 2 cents :)



    Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Monday, March 3, 2014 7:15 PM
    Moderator
  • Agreed, if their gateway will support it.  And as I'm sure you know, most will.  I was working from the information stated in the initial message, which didn't include gateway information.

    Tuesday, March 4, 2014 12:56 PM
  • Hi,

    Based on my research, the general resolution to stop the spoofed emails from our internal accounts is to remove a specific permission that allows anonymous senders to use your internal domain names in the Mail From section of an email:
    http://alanhardisty.wordpress.com/2010/03/08/prevent-spam-mail-from-your-own-domain-in-exchange-2007/
    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.

    However, it stops all emails to our server from an external computer and emails if we send them as one of our internal domain names.

    Thus, we can depend on the anti-spam product and keep it up to date.
    http://social.technet.microsoft.com/Forums/exchange/en-US/79ed7409-3a60-4c48-9e32-6fe4dc51bf96/internal-user-sending-phishingspoofed-email?forum=exchangesvradmin


    If you have any question, please feel free to let me know.
    Thanks,


    Angela Shi
    TechNet Community Support

    Friday, March 7, 2014 9:31 AM