One of the more annoying types of spam is the one that seems to be coming from your own domain; or worse— from your own email address! Of course, users from your own domain don’t generally spam each other— unless you’re using one of the free web-based email services. And most of us don’t spam ourselves.
Obviously, this is coming from a spammer who has spoofed your email address, or that of someone else from your domain. Unfortunately, SMTP— the protocol that allows mail clients and servers to exchange email, allows headers to be spoofed easily.
In Exchange Server 2007, Accepted Domains tell Exchange which domains to accept email for. If a domain – e12labs.com in this example, exists as an Accepted Domain, there is no reason external senders should use that domain in the MAIL or FROM headers.
You may have remote POP3/IMAP4 users who use SMTP to send mail. However, such sessions should be authenticated, and preferably use a separate Receive Connector.
Thanks to the extensive Transport Permissions model in Exchange 2007, we can easily prevent such spam. Receive Connectors have the ms-exch-smtp-accept-authoritative-domain-sender permission which dictates whether an Accepted Domain can be used in the MAIL or FROM headers. External/internet hosts submit mail to your server without authentication, as anonymous senders. To prevent anonymous senders from sending mail using your domain(s), we need to remove the ms-exch-smtp-accept-authoritative-domain-sender permission assigned to them.
Use the following command to remove the ms-exch-smtp-accept-authoritative-domain-sender permission from NT Authority\Anonymous Logon on internet-facing Receive Connector(s):
Get-ReceiveConnector “My Internet ReceiveConnector” | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | Remove-ADPermission
Once this permission is removed, when anonymous senders try to submit mail using your Accepted Domain(s), here’s how the SMTP conversation goes:
220 E12Postcard.e12labs.com Microsoft ESMTP MAIL Service ready at Wed, 3 Sep 2008 06:22:43 -0700
helo
250 E12Postcard.e12labs.com Hello [172.31.0.170]
mail from:jadams@e12labs.com
550 5.7.1 Client does not have permissions to send as this sender
Exchange stopped spoofing of P1/envelope headers. Let’s continue the session and try to spoof the P2 headers (the ones in the DATA part of the message) — maybe that’ll work!
mail from:someone@someotherdomain.com
250 2.1.0 Sender OK
rcpt to:jadams@e12labs.com
250 2.1.5 Recipient OK
data
354 Start mail input; end with
from:jadams@e12labs.com
subject: Header spoofing
This is how we spoof headers, spoof headers.
.
550 5.7.1 Client does not have permissions to send as this sender
quit
221 2.0.0 Service closing transmission channel
As you can see, removing the ms-exch-smtp-accept-authoritative-domain-sender permission stops spoofing of your domains in both envelope (P1) and message (P2) headers.
When not to remove the permission?
Is there a scenario where one should not remove the ms-exch-smtp-accept-authoritative-domain-sender permission from NT Authority\Anonymous Logon? Yes, on Receive Connectors used by internal or trusted SMTP hosts (such as copiers/scanners and application servers) that submit mail without authentication.
But you do have these internal/trusted hosts submitting to a separate Receive Connector, don’t you?
Related posts:
- Exchange Server 2007: How To Allow Relaying
- Removing internal host names and IP addresses from message headers
- Header Firewall: Why spammers can’t insert fake SCL (and other Exchange Organization) X headers
{ 22 comments… read them below or add one }
One problem with this — two major sites, Expedia and PayPal, send out emails with the user’s email as the sender.
So travel itineraries and paypal subscription payments get bounced since they’re trying to send email to you as you.
I’ve tried to contact their support dept’s as they really shouldn’t be doing that, but they haven’t changed/fixed it yet.
So, your users will lose emails from those sites with this config :/
Such messages would also run into issues with technologies like SenderID/SPF.
Yes, they would/do….but unless some major site (hotmail/gmail/yahoo) starts enforcing those, then PayPal, Expedia and who knows who else will keep ignoring it.
Users will scream if their travel itineraries bounce though even if the SenderID/SPF fails.
Bharat,
I’ve got a “smarthost” which is SunSPARC 5 solaris box acting as the email relay to my (HT-CAS-MBX server) so if this device stop, the whole email stopped also.
does that means i should not implement this method ?
thanks for all your posting.
@Albert: If the non-Exchange/external SMTP host configured as a smarthost on a SendConnector is unavailable, outbound mail will queue on your Hub Transport server.
If the server is also the target of MX record(s) for your domain(s), inbound internet mail will not be delivered by remote SMTP hosts. (Most mail servers will queue mail for a preconfigured period – ~2 days – before returning a NDR to the sender).
Mitigation: You can add additional smarthosts – either from within your organization, or those belonging to your ISP/service provider. When multiple smarthosts are added to the same SendConnector, they’re load-balanced.
If using a separate Send Connector with a different smarthost as a “backup”, you will need to monitor the queues and disable the “primary” Send Connector to have Exchange 2007 switchover to the second Connector. For inbound internet mail, this can be achieved using additional MX record(s) with a higher preference pointing to the additional smarthost(s).
Thank you Bharat, this will hopefully do the trick on our E2k7 server as well. One question though, how would one accomplish the same task in E2k3? I have several clients running SBS 2003 and this is a big problem. Unfortunately, Antigen/Forefront does a poor job of handling this.
Can someone please please les us know how do we do the exact opposite? i.e. READD that AD permission.
I just want to have this option in case something goes wrong.
Well scrap my previous comment. I found how to re-add the property.
My issue is different now.
I have an exchange internally (that indeed has two receive connectors, one secured (port 587) and one unsecured (port 25) and an exchange edge, that only has an unsecured receive connector.
I don’t think there is any permission for anonymous user on the edge. So where do I send this command? Which of the two servers?
Can someone help?
Such spam effectively blocked by properly configured SPF for own domain.
Regards,
Maksim
@NLS
So how do you re-add the property?
@NLS: Recieve Connectors on Edge Transport servers have the same permissions model, and permissions for Anymous Logon.
How do you undo this? I am concerned about executing any command that i don’t know how to undo.
“But you do have these internal/trusted hosts submitting to a separate Receive Connector, don’t you?”
How do I set up a separate Receive connector for internal/trusted SMTP hosts that send anonymously?
If they don’t authenticate, wouldn’t they automatically get sent to the “Default SERVERNAME” Receive Connector?
@Anonymous May 15: Use Add-ADPermission to add the permission for Anonymous Logon.
@Christian: Exchange Server 2007: How To Allow Relaying
How do you stop the bounce messages that result ?
An external source send an email to me as me and its rejected ( bounced ) guess who gets the bounce from the spam he didn't send or see ?
Great information! IMO, wouldn't it be acceptable to require all receive connectors to require authentication? Is there any device these days that needs to send email that can't authenticate against an outgoing mail server?
My concern is that without authentication, doesn't that mean that any device that is within my network and thus using an internal receive connector has the potential to forge email addresses? That's not good, what with the potential for rogue devices to be added to the network in spite of best efforts to provide a sanitized and protected internal network.
Good article!
Is it possible to allow one (or more) external IP’s to spoof using this server?
I have an (externally hosted) web server witch I would like to allow to “spoofs” mail to my end users.
Hello,
What command would allow me to roll the action back?
Would the below command do:
Get-ReceiveConnector “My Internet ReceiveConnector” | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | ADD-ADPermission
Many thanks and very good article btw!
Graig
For any of you out there who are wondering how to disable this:
Get-ReceiveConnector “Name of your RCV connector” | Add-ADPermission -User “NT AUTHORITY\Anonymous Logon” -ExtendedRights “ms-Exch-SMTP-Accept-Authoritative-Domain-Sender”
Hello everybody,
I successfully executed the above command on my Exchange Server 2010. I was asked if I really want to remove the permission etc.etc.etc.
But after restarting the machine, it is still possible to send mails from and to internal domain users without authentification.
What did I wrong ?
Thanks for your help
What permissions does Anonymous have and what are the authentication settings on the Receive Connector?
: host gmail-smtp-in.l.google.com[74.125.53.27] said:
550-5.7.1 [218.240.43.121 1] Our system has detected an unusual rate
of 550-5.7.1 unsolicited mail originating from your IP address. To protect
our 550-5.7.1 users from spam, mail sent from your IP address has been
blocked. 550-5.7.1 Please visit
http://www.google.com/mail/help/bulk_mail.html to review 550 5.7.1 our Bulk
Email Senders Guidelines. d4si34043756pbq.210