Prevent Spam Mail From Your Own Domain in Exchange 2007

One of the biggest bug-bears with spam is the spam that comes from (or supposedly comes from) random_username@yourdomain.com or even your_username@yourdomain.com. This is known as spoofed mail and is a common technique that spammers use to try to get mail past Anti-Spam software.

From the Anti-Spam logs on my own server in the last 24-hours, I have received 1,974 emails (out of 17,432 in total) where the sender domain matched the recipient domain. This is about 11.3% of all mail that hit my server, so it is a relatively large problem. Factor that up to a year’s worth of mail and you get 720,510 a year.

To prevent this from happening, you simply need to remove a specific permission that allows anonymous senders to use your internal domain names in the Mail From section of an email. If anyone tries to do this (anonymous users only) they will receive a “550 5.7.1 Client does not have permissions to send as this sender” message.

The syntax to remove the permission should be entered as follows in the Exchange Management Console:

Get-ReceiveConnector “My Internet Receive Connector” | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | Remove-ADPermission

(You need to change the “My Internet Receive Connector” part in the above syntax)

Having run this command successfully, test using Telnet to your mail server from an external computer and see what happens if you try to send mail as one of your internal domain names. You should receive the 550 5.7.1 Message.

N.B. To put the permission back (in case you need to), please run the following:
Get-ReceiveConnector “My Internet Receive Connector” | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | Add-ADPermission

If you have internal photocopiers and other hardware that needs to relay via your Exchange 2007 server and you cannot configure them with a username / password, then removing the above permissions will prevent you from relaying and will cause you problems.

Advertisements

12 Responses

  1. […] just came across an elegant alternative to our Self-Spam Agent (which stops spam sent in your name) in Alan Hardisty’s blog. While […]

  2. That’s a great and relevant solution Alan, I have posted the link in our blog and twitter feed as an alternative to our Self-Spam Agent.

  3. […] Prevent Spam Mail From Your Own Domain in Exchange 2007 March 20103 comments […]

  4. Hi Alan-

    I have enjoyed a number of the posts on your blog and am about to embark on a commercial email campaign. I want to be sure my actions are completely Can Spam compliant, I do not wish to do damage to the reputation of my business. Would you mind answering a few quick questions that I have?

  5. I was wondering if there is a way to let one address through? right now its stopping the spoofing cold, but we have a antispam going through with the address “postmaster@domain.com” and want only that address to be able to go through from anonymouse, let me know if you know any solutions! thanks!

    • Does the postmaster@domain.com come from one specific IP Address or a range of known IP Addresses?

      If it does, you should be able to create a new Receive Connector and configure the remote IP ranges accordingly, then allow Anonymous as the Security Groups and that should allow them through.

      From the EMS, type the following (adjust to your specific requirements):

      New-ReceiveConnector -Name ‘Postmaster‘ -Usage ‘Custom’ -AuthMechanism ‘BasicAuth’ -Bindings ‘0.0.0.0:25’ -fqdn ‘mail.yourdomain.com‘ -RemoteIPRanges ‘xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy‘ -PermissionGroups ‘AnonymousUsers’ -Server ‘YourServerName

  6. I tried the command on an Exchange 2010 machine, but it doesn’t help I can still telnet from another server and use mail from:blabla@mydomain.com. It is still accepted.

    Get-ReceiveConnector “My Internet Receive Connector” | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | Remove-ADPermission

    Any ideas why? Its a single server installation with the HT connected to the internet.

  7. Great article, Alan!

    Just one thing though .. I’ve found out (the hard way) that the command to put the permission back (in case you need to) is actually incorrect and will not work. The structure of the command will fliter to a specific permission which was previously removed, thus returning no results to pipe through to the Add-ADPermission command.

    The correct command for putting the permission back should be:
    Get-ReceiveConnector “My Internet Receive Connector” | Add-ADPermission -User “NT AUTHORITY\Anonymous Logon” -ExtendedRights “ms-exch-smtp-accept-authoritative-domain-sender”

    Cheers!
    Simon.

  8. […] found a nice elegant solution that involved removing extendedright for the anonymous […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: