Prevent Spam Mail From Your Own Domain in Exchange 2007

One of the biggest bug-bears with spam is the spam that comes from (or supposedly comes from) random_username@yourdomain.com or even your_username@yourdomain.com. This is known as spoofed mail and is a common technique that spammers use to try to get mail past Anti-Spam software.

From the Anti-Spam logs on my own server in the last 24-hours, I have received 1,974 emails (out of 17,432 in total) where the sender domain matched the recipient domain. This is about 11.3% of all mail that hit my server, so it is a relatively large problem. Factor that up to a year’s worth of mail and you get 720,510 a year.

To prevent this from happening, you simply need to remove a specific permission that allows anonymous senders to use your internal domain names in the Mail From section of an email. If anyone tries to do this (anonymous users only) they will receive a “550 5.7.1 Client does not have permissions to send as this sender” message.

The syntax to remove the permission should be entered as follows in the Exchange Management Console:

Get-ReceiveConnector “My Internet Receive Connector” | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | Remove-ADPermission

(You need to change the “My Internet Receive Connector” part in the above syntax)

Having run this command successfully, test using Telnet to your mail server from an external computer and see what happens if you try to send mail as one of your internal domain names. You should receive the 550 5.7.1 Message.

N.B. To put the permission back (in case you need to), please run the following:
Get-ReceiveConnector “My Internet Receive Connector” | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | Add-ADPermission

If you have internal photocopiers and other hardware that needs to relay via your Exchange 2007 server and you cannot configure them with a username / password, then removing the above permissions will prevent you from relaying and will cause you problems.

How to prevent Spoofed Emails in Exchange 2003

Spammers use all type of techniques to get their rubbish through to you and one technique that they use is called spoofing, whereby they forge the sender address and use your own email address, or someone@yourdomainname.com as the sender address.

There are various ways to combat this and in Exchange 2003, you can do the following:

  • Setup Sender Filtering to stop inbound emails that are supposedly from your own domain name.
  • Setup Tarpitting to slow down spammers who try to determine the email addresses that are sitting on your Exchange server.
  • Setup a Sender Policy Framework (SPF) record for your domain.
  • Setup Sender ID filtering to check SPF records for inbound email and reject ones that fail.
  • Setup Recipient Filtering (won’t solve the spoofing problem, but it is highly recommended to set this up too)

To set these various Anti-Spam techniques up, you should first check that you are using Exchange 2003 Service Pack 2 by opening up Exchange System Manager, expanding Servers, then click onto your server and then right-click on your server and choose properties.

The screen that follows should advise you what Service Pack your Exchange Server is on.  If it does not say Service Pack 2, please visit the following link to download and install it:

http://www.microsoft.com/downloads/details.aspx?FamilyID=535BEF85-3096-45F8-AA43-60F1F58B3C40&displaylang=en

If you are already on Exchange 2003 Service Pack 2, then please review the following articles to setup the various Anti-Spam techniques:

Once you have setup the above, you should be free from spoofed emails claiming to come from anyone@yourdomain.com or from your own email address to yourself!

As an alternative to the above, you could simply install some Anti-Spam software and one product that I have been using recently after being recommended it by a Microsoft Exchange MVP is Vamsoft ORF which is currently priced at $239 per server and has drastically reduced the amount of spam that I have been receiving and now my customers who also have Vamsoft, have also seen a dramatic reduction in their spam levels too.  Their website is www.vamsoft.com.