HOW TO: Prevent annoying spam from your own domain

by Bharat Suneja

One of the more annoying types of spam is the one that seems to be coming from your own domain; or worse— from your own email address! Of course, users from your own domain don’t generally spam each other— unless you’re using one of the free web-based email services. And most of us don’t spam ourselves.

Obviously, this is coming from a spammer who has spoofed your email address, or that of someone else from your domain. Unfortunately, SMTP— the protocol that allows mail clients and servers to exchange email, allows headers to be spoofed easily.

In Exchange Server 2007, Accepted Domains tell Exchange which domains to accept email for. If a domain – e12labs.com in this example, exists as an Accepted Domain, there is no reason external senders should use that domain in the MAIL or FROM headers.

You may have remote POP3/IMAP4 users who use SMTP to send mail. However, such sessions should be authenticated, and preferably use a separate Receive Connector.

Thanks to the extensive Transport Permissions model in Exchange 2007, we can easily prevent such spam. Receive Connectors have the ms-exch-smtp-accept-authoritative-domain-sender permission which dictates whether an Accepted Domain can be used in the MAIL or FROM headers. External/internet hosts submit mail to your server without authentication, as anonymous senders. To prevent anonymous senders from sending mail using your domain(s), we need to remove the ms-exch-smtp-accept-authoritative-domain-sender permission assigned to them.

Use the following command to remove the ms-exch-smtp-accept-authoritative-domain-sender permission from NT Authority\Anonymous Logon on internet-facing Receive Connector(s):

Get-ReceiveConnector “My Internet ReceiveConnector” | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | Remove-ADPermission

Once this permission is removed, when anonymous senders try to submit mail using your Accepted Domain(s), here’s how the SMTP conversation goes:

220 E12Postcard.e12labs.com Microsoft ESMTP MAIL Service ready at Wed, 3 Sep 2008 06:22:43 -0700
helo
250 E12Postcard.e12labs.com Hello [172.31.0.170]
mail from:[email protected]
550 5.7.1 Client does not have permissions to send as this sender

Exchange stopped spoofing of P1/envelope headers. Let’s continue the session and try to spoof the P2 headers (the ones in the DATA part of the message) — maybe that’ll work!

mail from:[email protected]
250 2.1.0 Sender OK
rcpt to:[email protected]
250 2.1.5 Recipient OK
data
354 Start mail input; end with .
from:[email protected]
subject: Header spoofing

This is how we spoof headers, spoof headers.

.
550 5.7.1 Client does not have permissions to send as this sender
quit
221 2.0.0 Service closing transmission channel

As you can see, removing the ms-exch-smtp-accept-authoritative-domain-sender permission stops spoofing of your domains in both envelope (P1) and message (P2) headers.

When not to remove the permission?
Is there a scenario where one should not remove the ms-exch-smtp-accept-authoritative-domain-sender permission from NT Authority\Anonymous Logon? Yes, on Receive Connectors used by internal or trusted SMTP hosts (such as copiers/scanners and application servers) that submit mail without authentication.

But you do have these internal/trusted hosts submitting to a separate Receive Connector, don’t you?

Related posts:

{ 34 comments… read them below or add one }

Oren Novotny September 4, 2008 at 4:52 am

One problem with this — two major sites, Expedia and PayPal, send out emails with the user’s email as the sender.

So travel itineraries and paypal subscription payments get bounced since they’re trying to send email to you as you.

I’ve tried to contact their support dept’s as they really shouldn’t be doing that, but they haven’t changed/fixed it yet.

So, your users will lose emails from those sites with this config :/

Reply

Bharat Suneja September 4, 2008 at 7:51 am

Such messages would also run into issues with technologies like SenderID/SPF.

Reply

Oren Novotny September 4, 2008 at 6:05 pm

Yes, they would/do….but unless some major site (hotmail/gmail/yahoo) starts enforcing those, then PayPal, Expedia and who knows who else will keep ignoring it.

Users will scream if their travel itineraries bounce though even if the SenderID/SPF fails.

Reply

AlbertWT December 17, 2008 at 5:29 pm

Bharat,

I’ve got a “smarthost” which is SunSPARC 5 solaris box acting as the email relay to my (HT-CAS-MBX server) so if this device stop, the whole email stopped also.

does that means i should not implement this method ?

thanks for all your posting.

Reply

Bharat Suneja December 17, 2008 at 5:58 pm

@Albert: If the non-Exchange/external SMTP host configured as a smarthost on a SendConnector is unavailable, outbound mail will queue on your Hub Transport server.

If the server is also the target of MX record(s) for your domain(s), inbound internet mail will not be delivered by remote SMTP hosts. (Most mail servers will queue mail for a preconfigured period – ~2 days – before returning a NDR to the sender).

Mitigation: You can add additional smarthosts – either from within your organization, or those belonging to your ISP/service provider. When multiple smarthosts are added to the same SendConnector, they’re load-balanced.

If using a separate Send Connector with a different smarthost as a “backup”, you will need to monitor the queues and disable the “primary” Send Connector to have Exchange 2007 switchover to the second Connector. For inbound internet mail, this can be achieved using additional MX record(s) with a higher preference pointing to the additional smarthost(s).

Reply

The Other Dave G January 28, 2009 at 12:17 pm

Thank you Bharat, this will hopefully do the trick on our E2k7 server as well. One question though, how would one accomplish the same task in E2k3? I have several clients running SBS 2003 and this is a big problem. Unfortunately, Antigen/Forefront does a poor job of handling this.

Reply

NLS February 25, 2009 at 2:35 am

Can someone please please les us know how do we do the exact opposite? i.e. READD that AD permission.

I just want to have this option in case something goes wrong.

Reply

NLS February 25, 2009 at 2:52 am

Well scrap my previous comment. I found how to re-add the property.

My issue is different now.
I have an exchange internally (that indeed has two receive connectors, one secured (port 587) and one unsecured (port 25) and an exchange edge, that only has an unsecured receive connector.

I don’t think there is any permission for anonymous user on the edge. So where do I send this command? Which of the two servers?

Can someone help?

Reply

MaxRnd March 25, 2009 at 6:20 am

Such spam effectively blocked by properly configured SPF for own domain.

Regards,
Maksim

Reply

murph April 14, 2009 at 9:22 am

@NLS

So how do you re-add the property?

Reply

Bharat Suneja April 14, 2009 at 9:30 am

@NLS: Recieve Connectors on Edge Transport servers have the same permissions model, and permissions for Anymous Logon.

Reply

Anonymous May 15, 2009 at 11:51 am

How do you undo this? I am concerned about executing any command that i don’t know how to undo.

Reply

Christian Haberl May 23, 2009 at 3:52 am

“But you do have these internal/trusted hosts submitting to a separate Receive Connector, don’t you?”
How do I set up a separate Receive connector for internal/trusted SMTP hosts that send anonymously?
If they don’t authenticate, wouldn’t they automatically get sent to the “Default SERVERNAME” Receive Connector?

Reply

Bharat Suneja May 23, 2009 at 2:49 pm

@Anonymous May 15: Use Add-ADPermission to add the permission for Anonymous Logon.

@Christian: Exchange Server 2007: How To Allow Relaying

Reply

Anonymous October 19, 2009 at 1:34 pm

How do you stop the bounce messages that result ?

An external source send an email to me as me and its rejected ( bounced ) guess who gets the bounce from the spam he didn't send or see ?

Reply

Nonapeptide November 24, 2009 at 11:03 am

Great information! IMO, wouldn't it be acceptable to require all receive connectors to require authentication? Is there any device these days that needs to send email that can't authenticate against an outgoing mail server?

My concern is that without authentication, doesn't that mean that any device that is within my network and thus using an internal receive connector has the potential to forge email addresses? That's not good, what with the potential for rogue devices to be added to the network in spite of best efforts to provide a sanitized and protected internal network.

Reply

Sjoerd March 23, 2010 at 3:39 am

Good article!

Is it possible to allow one (or more) external IP’s to spoof using this server?
I have an (externally hosted) web server witch I would like to allow to “spoofs” mail to my end users.

Reply

Graig March 25, 2011 at 2:16 am

Hello,
What command would allow me to roll the action back?
Would the below command do:
Get-ReceiveConnector “My Internet ReceiveConnector” | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | ADD-ADPermission

Many thanks and very good article btw!
Graig

Reply

Matthew April 6, 2011 at 7:25 am

For any of you out there who are wondering how to disable this:

Get-ReceiveConnector “Name of your RCV connector” | Add-ADPermission -User “NT AUTHORITY\Anonymous Logon” -ExtendedRights “ms-Exch-SMTP-Accept-Authoritative-Domain-Sender”

Reply

Ludwig July 30, 2011 at 3:12 pm

Hello everybody,

I successfully executed the above command on my Exchange Server 2010. I was asked if I really want to remove the permission etc.etc.etc.

But after restarting the machine, it is still possible to send mails from and to internal domain users without authentification.

What did I wrong ?

Thanks for your help

Reply

Bharat Suneja July 30, 2011 at 3:46 pm

What permissions does Anonymous have and what are the authentication settings on the Receive Connector?

Reply

rpro April 20, 2012 at 6:59 am

It does not work on exchange 2010 sp2.. the ms-Exch-SMTP-Accept-Authoritative-Domain-Sender is removed but the connector still accepts Authoritative Domain senders..

Reply

bonsoft.cn November 15, 2011 at 11:36 pm

: host gmail-smtp-in.l.google.com[74.125.53.27] said:
550-5.7.1 [218.240.43.121 1] Our system has detected an unusual rate
of 550-5.7.1 unsolicited mail originating from your IP address. To protect
our 550-5.7.1 users from spam, mail sent from your IP address has been
blocked. 550-5.7.1 Please visit
http://www.google.com/mail/help/bulk_mail.html to review 550 5.7.1 our Bulk
Email Senders Guidelines. d4si34043756pbq.210

Reply

dave February 14, 2013 at 3:13 am

hi there,

i also noticed Exchange 2010 is letting anonymouse through, although set otherwise.

any suggestions would be very much appreciated!

kind regards

dave

Reply

Holian May 26, 2014 at 11:54 pm

Masters,

Maybe I misunderstood something but if i “untick” anonymous user on permisson group tab we can’t receive e-mails from outside. (i tested with my gmail account and i get back “Diagnostic-Code: SMTP; 530 5.7.1 Client was not authenticated” message.

You could check our setting on this serverfault link.

Any suggestion apperitiated!

Thank you

Reply

rikmer June 23, 2014 at 7:58 am

Apparently if using Exchange 2010 SP2 this doesn’t work anymore. Is there a way to do this if using Exchange 2010 SP2? Any information would be much appreciated.

Reply

Tomas June 26, 2014 at 8:32 am

Great post. I have another problem how to block spam where name is same before @ different domains.
Example:
[email protected] is my mail. SPAM come “[email protected]” is there a way to filter it via name ? That *tomas*@*.* is automatically blocked ?

Thanks

Reply

Kamaljeep October 22, 2014 at 1:43 pm

Does this still hold true for Exchange 2013?

Reply

Victor Ivanidze May 23, 2016 at 3:06 am

Have a look at this tool: http://ivasoft.com/headerrewriter.shtml

Regards,
Victor

Reply

Andrew Admin June 30, 2016 at 3:00 pm

This is an excellent write-up and the Exchange Mgmt Shell command DID indeed work to stop email spoofing in (or to) or domain!

*However*, as Oren Novotny pointed out above in the comments, if a company tries to send email “as” or “on behalf of” someone else, Exchange will silently DROP THIS EMAIL!! The only workaround I have found is to create a separate receive connector that allows for full anonymous-authentication and whitelist and/all mail server IP’s from companyA@ “via” SendGrid@/ConstantContact@, etc.

Someone let me know if there is another workaround. Thanks.

Reply

Bharat Suneja July 7, 2016 at 10:03 pm

Andrew, the post does recommend using a separate Receive Connector for trusted internal hosts such as copiers/scanners/MFPs. You can restrict submission to this Receive Connector using IP addresses/subnets, or have the sending hosts authenticate.

See How To Allow Relaying in Exchange 2010 and Exchange 2007 (http://exchangepedia.com/2007/01/exchange-server-2007-how-to-allow-relaying.html)

Reply

Andrew Admin July 8, 2016 at 6:17 am

Thank you, Bharat. However, I have already created a separate RC that allows for anonymous-authentication, but it does not always work for 3rd party senders. My biggest concern is that when people send email “via” or “on behalf of” if their TLS was not authenticated, our Exchange server drops the email. I’ve managed to make Constant Contact work, but I cannot get SendGrid to work. Do you know if it’s just because the sender’s TLS is no authenticated? Thank you!

Reply

Bharat Suneja July 15, 2016 at 3:07 pm

By default, Exchange uses opportunistic TLS. It won’t care if the certificate subject matches the sender fqdn – it’s just used to protect/encrypt the session, not to validate the sender.

How are you authenticating third-party senders? What’s the exact scenario?

Reply

Arif R August 30, 2016 at 7:48 pm

Hi, I need help.

I created a separate receive connector for internal devices and applications emails, added “Anonymous user” permission and added one device’s IP address also the whole IP address range. I removed the “ms-exch-smtp-accept-authoritative-domain-sender” permission from “Default Frontend ” receive connector. I also followed two more commands as advised in below link,

http://serverfault.com/questions/741501/how-can-i-prevent-spoofed-emails-from-outside-thats-using-my-internal-accepted-d

But my internal LAN-connected devices and applications emails are failing. They are connecting by SMTP to Exchange server.

Our internal devices are on different VLAN, not on the same VLAN where Exchange server is. My guess is, Exchange is considering it as outside emails and not passing it through the internal-relay receive connector. The error message is:

“554 5.1.0 Sender denied”

Is there anyway to check which receive connector internal devices are connecting by SMTP? and how to configure/force them to use the internal-relay connector I created?

Reply

Leave a Comment

{ 6 trackbacks }

Previous post:

Next post: