Thursday, March 17, 2016

Block Messages Spoofing Your Domain

Spam with attached malware has been going crazy lately. It's a complaint that all of our clients are dealing with. Antispam software doesn't seem to be able to keep up with new variants that are showing up each day.

Many of the spam messages spoof your domain in the sender address. For example, I might receive a spam message from admin@conexion.ca when my email address is in the conexion.ca domain. Fortunately, in Exchange Server, we can modify the Internet receive connector to block messages from your accepted domains. This means that emails with your domains as the From address will not be accepted from the Internet.

To block inbound messages from our own domain, we remove the extended AD permission ms-exch-smtp-accept-authoritative-domain-sender for the anonymous user on the Internet receive connector. Assuming that have already identified that connector, the following command removes the permission:
Get-ReceiveConnector "Internet" | Get-ADPermission -User "NT Authority\Anonymous Logon" | Where {$_.ExtendedRights -like "ms-exch-smtp-accept-authoritative-domain-sender"} | Remove-ADPermission
If you're like me and want to verify that you've got the right thing before you remove it, use the following command to verify first:
Get-ReceiveConnector "Internet" | Get-ADPermission -User "NT Authority\Anonymous Logon" | Where {$_.ExtendedRights -like "ms-exch-smtp-accept-authoritative-domain-sender"} | Format-List *
Before you actually implement this make sure that you don't have any applications or devices such as copiers that submit messages on the Internet connector:
  • I have seen copiers in small businesses configured to submit scanned documents via email through the SMTP relay of an ISP instead of the local Exchange server.
  • I have also seen external cloud-based applications sending messages to internal users using a from email address of the internal domain.
  • Also, sometimes Internal devices are configured with an IP address that uses the same receive connector as used for Internet mail reception. So, verify that the receive connector used for Internet messages does not allow internal IP addresses.
This permission exists for Exchange 2010, Exchange 2013, and Exchange 2016.

4 comments:

  1. Thanks Byron. I have been experiencing this problem and the emails contain malware (which forunately has been stripped by Exchange 2016). I still would rather not receive them though. I applied the command, with success

    ReplyDelete
  2. Hi. sorry to revive this blog post, but i am searching for answers and i hope you can provide me with some insights
    this command:

    Get-ReceiveConnector "Internet" | Get-ADPermission -User "NT Authority\Anonymous Logon" | Where {$_.ExtendedRights -like "ms-exch-smtp-accept-authoritative-domain-sender"} | Remove-ADPermission

    has no effect in 2013 cu24 servers or 2016/2019 exchange.
    I did not find a way to block this on a internet facing receive connector on a CAS only exchange 2013 server. It is not an open relay, but with telnet you can use an internal domain address to send email internally. Is there no way to block this anynmore?
    i've googled alot, there are lots of forums posts, yet no answer

    here is a very recent example :

    https://docs.microsoft.com/en-us/answers/questions/203616/ms-exch-smtp-accept-authoritative-domain-sender-de.html?page=2&pageSize=10&sort=oldest
    thank you for your time.

    ReplyDelete
    Replies
    1. I read through your link and it looks like that method is not supported in recent versions of Exchange as you suggest. Quite possible at the time I did that with Exchange 2010.

      It appears that a transport rule is your best way to go. Here is one example: https://support.knowbe4.com/hc/en-us/articles/212679977-Domain-Spoof-Prevention-in-Exchange-2013-2016-Office-365

      That example assumes all inbound mail comes from a single IP address (antispam provider). If your server accepts mail directly from the Internet, you can approach it the opposite way and apply the rule to all inbound messages except known IP addresses that are apps that send using your domain.

      Delete