One of the more annoying types of spam is the one that seems to be coming from your own domain; or worse— from your own email address! Of course, users from your own domain don’t generally spam each other— unless you’re using one of the free web-based email services. And most of us don’t spam ourselves.
Obviously, this is coming from a spammer who has spoofed your email address, or that of someone else from your domain. Unfortunately, SMTP— the protocol that allows mail clients and servers to exchange email, allows headers to be spoofed easily.
In Exchange Server 2007, Accepted Domains tell Exchange which domains to accept email for. If a domain – e12labs.com in this example, exists as an Accepted Domain, there is no reason external senders should use that domain in the MAIL or FROM headers.
You may have remote POP3/IMAP4 users who use SMTP to send mail. However, such sessions should be authenticated, and preferably use a separate Receive Connector.
Thanks to the extensive Transport Permissions model in Exchange 2007, we can easily prevent such spam. Receive Connectors have the ms-exch-smtp-accept-authoritative-domain-sender permission which dictates whether an Accepted Domain can be used in the MAIL or FROM headers. External/internet hosts submit mail to your server without authentication, as anonymous senders. To prevent anonymous senders from sending mail using your domain(s), we need to remove the ms-exch-smtp-accept-authoritative-domain-sender permission assigned to them.
Use the following command to remove the ms-exch-smtp-accept-authoritative-domain-sender permission from NT Authority\Anonymous Logon on internet-facing Receive Connector(s):
Get-ReceiveConnector “My Internet ReceiveConnector” | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | Remove-ADPermission
Once this permission is removed, when anonymous senders try to submit mail using your Accepted Domain(s), here’s how the SMTP conversation goes:
220 E12Postcard.e12labs.com Microsoft ESMTP MAIL Service ready at Wed, 3 Sep 2008 06:22:43 -0700
helo
250 E12Postcard.e12labs.com Hello [172.31.0.170]
mail from:[email protected]
550 5.7.1 Client does not have permissions to send as this sender
Exchange stopped spoofing of P1/envelope headers. Let’s continue the session and try to spoof the P2 headers (the ones in the DATA part of the message) — maybe that’ll work!
mail from:[email protected]
250 2.1.0 Sender OK
rcpt to:[email protected]
250 2.1.5 Recipient OK
data
354 Start mail input; end with
from:[email protected]
subject: Header spoofing
This is how we spoof headers, spoof headers.
.
550 5.7.1 Client does not have permissions to send as this sender
quit
221 2.0.0 Service closing transmission channel
As you can see, removing the ms-exch-smtp-accept-authoritative-domain-sender permission stops spoofing of your domains in both envelope (P1) and message (P2) headers.
When not to remove the permission?
Is there a scenario where one should not remove the ms-exch-smtp-accept-authoritative-domain-sender permission from NT Authority\Anonymous Logon? Yes, on Receive Connectors used by internal or trusted SMTP hosts (such as copiers/scanners and application servers) that submit mail without authentication.
But you do have these internal/trusted hosts submitting to a separate Receive Connector, don’t you?
Related posts:
{ 34 comments… read them below or add one }
One problem with this — two major sites, Expedia and PayPal, send out emails with the user’s email as the sender.
So travel itineraries and paypal subscription payments get bounced since they’re trying to send email to you as you.
I’ve tried to contact their support dept’s as they really shouldn’t be doing that, but they haven’t changed/fixed it yet.
So, your users will lose emails from those sites with this config :/
Such messages would also run into issues with technologies like SenderID/SPF.
Yes, they would/do….but unless some major site (hotmail/gmail/yahoo) starts enforcing those, then PayPal, Expedia and who knows who else will keep ignoring it.
Users will scream if their travel itineraries bounce though even if the SenderID/SPF fails.
Bharat,
I’ve got a “smarthost” which is SunSPARC 5 solaris box acting as the email relay to my (HT-CAS-MBX server) so if this device stop, the whole email stopped also.
does that means i should not implement this method ?
thanks for all your posting.
@Albert: If the non-Exchange/external SMTP host configured as a smarthost on a SendConnector is unavailable, outbound mail will queue on your Hub Transport server.
If the server is also the target of MX record(s) for your domain(s), inbound internet mail will not be delivered by remote SMTP hosts. (Most mail servers will queue mail for a preconfigured period – ~2 days – before returning a NDR to the sender).
Mitigation: You can add additional smarthosts – either from within your organization, or those belonging to your ISP/service provider. When multiple smarthosts are added to the same SendConnector, they’re load-balanced.
If using a separate Send Connector with a different smarthost as a “backup”, you will need to monitor the queues and disable the “primary” Send Connector to have Exchange 2007 switchover to the second Connector. For inbound internet mail, this can be achieved using additional MX record(s) with a higher preference pointing to the additional smarthost(s).
Thank you Bharat, this will hopefully do the trick on our E2k7 server as well. One question though, how would one accomplish the same task in E2k3? I have several clients running SBS 2003 and this is a big problem. Unfortunately, Antigen/Forefront does a poor job of handling this.
Can someone please please les us know how do we do the exact opposite? i.e. READD that AD permission.
I just want to have this option in case something goes wrong.
Well scrap my previous comment. I found how to re-add the property.
My issue is different now.
I have an exchange internally (that indeed has two receive connectors, one secured (port 587) and one unsecured (port 25) and an exchange edge, that only has an unsecured receive connector.
I don’t think there is any permission for anonymous user on the edge. So where do I send this command? Which of the two servers?
Can someone help?
Such spam effectively blocked by properly configured SPF for own domain.
Regards,
Maksim
@NLS
So how do you re-add the property?
@NLS: Recieve Connectors on Edge Transport servers have the same permissions model, and permissions for Anymous Logon.
How do you undo this? I am concerned about executing any command that i don’t know how to undo.
“But you do have these internal/trusted hosts submitting to a separate Receive Connector, don’t you?”
How do I set up a separate Receive connector for internal/trusted SMTP hosts that send anonymously?
If they don’t authenticate, wouldn’t they automatically get sent to the “Default SERVERNAME” Receive Connector?
@Anonymous May 15: Use Add-ADPermission to add the permission for Anonymous Logon.
@Christian: Exchange Server 2007: How To Allow Relaying
How do you stop the bounce messages that result ?
An external source send an email to me as me and its rejected ( bounced ) guess who gets the bounce from the spam he didn't send or see ?
Great information! IMO, wouldn't it be acceptable to require all receive connectors to require authentication? Is there any device these days that needs to send email that can't authenticate against an outgoing mail server?
My concern is that without authentication, doesn't that mean that any device that is within my network and thus using an internal receive connector has the potential to forge email addresses? That's not good, what with the potential for rogue devices to be added to the network in spite of best efforts to provide a sanitized and protected internal network.
Good article!
Is it possible to allow one (or more) external IP’s to spoof using this server?
I have an (externally hosted) web server witch I would like to allow to “spoofs” mail to my end users.
Hello,
What command would allow me to roll the action back?
Would the below command do:
Get-ReceiveConnector “My Internet ReceiveConnector” | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | ADD-ADPermission
Many thanks and very good article btw!
Graig
For any of you out there who are wondering how to disable this:
Get-ReceiveConnector “Name of your RCV connector” | Add-ADPermission -User “NT AUTHORITY\Anonymous Logon” -ExtendedRights “ms-Exch-SMTP-Accept-Authoritative-Domain-Sender”
Hello everybody,
I successfully executed the above command on my Exchange Server 2010. I was asked if I really want to remove the permission etc.etc.etc.
But after restarting the machine, it is still possible to send mails from and to internal domain users without authentification.
What did I wrong ?
Thanks for your help
What permissions does Anonymous have and what are the authentication settings on the Receive Connector?
It does not work on exchange 2010 sp2.. the ms-Exch-SMTP-Accept-Authoritative-Domain-Sender is removed but the connector still accepts Authoritative Domain senders..
: host gmail-smtp-in.l.google.com[74.125.53.27] said:
550-5.7.1 [218.240.43.121 1] Our system has detected an unusual rate
of 550-5.7.1 unsolicited mail originating from your IP address. To protect
our 550-5.7.1 users from spam, mail sent from your IP address has been
blocked. 550-5.7.1 Please visit
http://www.google.com/mail/help/bulk_mail.html to review 550 5.7.1 our Bulk
Email Senders Guidelines. d4si34043756pbq.210
hi there,
i also noticed Exchange 2010 is letting anonymouse through, although set otherwise.
any suggestions would be very much appreciated!
kind regards
dave
Masters,
Maybe I misunderstood something but if i “untick” anonymous user on permisson group tab we can’t receive e-mails from outside. (i tested with my gmail account and i get back “Diagnostic-Code: SMTP; 530 5.7.1 Client was not authenticated” message.
You could check our setting on this serverfault link.
Any suggestion apperitiated!
Thank you
Apparently if using Exchange 2010 SP2 this doesn’t work anymore. Is there a way to do this if using Exchange 2010 SP2? Any information would be much appreciated.
Great post. I have another problem how to block spam where name is same before @ different domains.
Example:
[email protected] is my mail. SPAM come “[email protected]” is there a way to filter it via name ? That *tomas*@*.* is automatically blocked ?
Thanks
Does this still hold true for Exchange 2013?
Have a look at this tool: http://ivasoft.com/headerrewriter.shtml
Regards,
Victor
This is an excellent write-up and the Exchange Mgmt Shell command DID indeed work to stop email spoofing in (or to) or domain!
*However*, as Oren Novotny pointed out above in the comments, if a company tries to send email “as” or “on behalf of” someone else, Exchange will silently DROP THIS EMAIL!! The only workaround I have found is to create a separate receive connector that allows for full anonymous-authentication and whitelist and/all mail server IP’s from companyA@ “via” SendGrid@/ConstantContact@, etc.
Someone let me know if there is another workaround. Thanks.
Andrew, the post does recommend using a separate Receive Connector for trusted internal hosts such as copiers/scanners/MFPs. You can restrict submission to this Receive Connector using IP addresses/subnets, or have the sending hosts authenticate.
See How To Allow Relaying in Exchange 2010 and Exchange 2007 (http://exchangepedia.com/2007/01/exchange-server-2007-how-to-allow-relaying.html)
Thank you, Bharat. However, I have already created a separate RC that allows for anonymous-authentication, but it does not always work for 3rd party senders. My biggest concern is that when people send email “via” or “on behalf of” if their TLS was not authenticated, our Exchange server drops the email. I’ve managed to make Constant Contact work, but I cannot get SendGrid to work. Do you know if it’s just because the sender’s TLS is no authenticated? Thank you!
By default, Exchange uses opportunistic TLS. It won’t care if the certificate subject matches the sender fqdn – it’s just used to protect/encrypt the session, not to validate the sender.
How are you authenticating third-party senders? What’s the exact scenario?
Hi, I need help.
I created a separate receive connector for internal devices and applications emails, added “Anonymous user” permission and added one device’s IP address also the whole IP address range. I removed the “ms-exch-smtp-accept-authoritative-domain-sender” permission from “Default Frontend ” receive connector. I also followed two more commands as advised in below link,
http://serverfault.com/questions/741501/how-can-i-prevent-spoofed-emails-from-outside-thats-using-my-internal-accepted-d
But my internal LAN-connected devices and applications emails are failing. They are connecting by SMTP to Exchange server.
Our internal devices are on different VLAN, not on the same VLAN where Exchange server is. My guess is, Exchange is considering it as outside emails and not passing it through the internal-relay receive connector. The error message is:
“554 5.1.0 Sender denied”
Is there anyway to check which receive connector internal devices are connecting by SMTP? and how to configure/force them to use the internal-relay connector I created?
{ 7 trackbacks }