One of the common complaints from users and many messaging folks is spam received from senders that appear to be from your own domain. SMTP mail is exchanged with anonymous Internet hosts without any authentication. Headers can be and are effortlessly spoofed. Rather than using an unregistered or invalid domain in the From: header, many spammers find it attractive to use an address from your domain – generally an invalid address, or worse – a perfectly valid one!
Messages that appear to be sent from your domain probably have a better shot at making it through some spam filters, and certainly have a higher chance of being opened by recipients in your domain, once they do make it to the Inbox.
Tackling spam that appears to be from your domain
Annoying as it is to receive spam purportedly from your own domain, Exchange 2010 and Exchange 2007 make it easy to tackle it. Here are some ways of stopping such spam:
- SenderID filter: You can use the SenderID filter to drop messages that return a FAIL result (from a SPF record lookup). It’s advisable to publish SPF records for your domains – make sure you publish them if you haven’t already done so. You can use the SenderID wizard on the Microsoft web site to create SPF records. Use options in SPF record to explicitly designate SMTP hosts authorized to send for your domain(s).
- Transport permissions: Exchange Server 2010/2007 allow you to configure Receive Connectors to drop messages where the FROM address is from your own domain. You can remove the ms-Exch-SMTP-Accept-Authoritative-Domain-Sender transport permission from anonymous senders. It’s a good idea to do this if you don’t expect any legitimate messages sent without authentication (with your domain in the From: header). This command configures a Receive Connector to reject such messages:
Remove-ADPermission <ReceiveConnector Name> –user “NT AUTHORITY\Anonymous Logon” –ExtendedRights ms-Exch-SMTP-Accept-Authoritative-Domain-Sender
Consider doing this only on the Receive Connector that receives inbound Internet mail. There may be a need for certain (generally internal) senders like copiers/scanners, application servers and other non-Exchange mail hosts to be able to send with an address from your domain in the FROM header, without authentication. As discussed in “Exchange Server 2007: How To Allow Relaying“, it is advisable to create an additional Receive Connector for such trusted/internal hosts.
- Do not resolve anonymous senders: In addition to the above measures, its advisable to not have resolution of anonymous senders enabled on Internet-facing Receive Connectors. Your users are likely to trust resolved senders (where the SMTP address is hidden and only the display name visible) and click on links or attachments in such messages. See “A Late New Year’s Resolution: Do Not Resolve Anonymous Senders” for details.