Thursday, March 17, 2016

Block Messages Spoofing Your Domain

Spam with attached malware has been going crazy lately. It's a complaint that all of our clients are dealing with. Antispam software doesn't seem to be able to keep up with new variants that are showing up each day.

Many of the spam messages spoof your domain in the sender address. For example, I might receive a spam message from admin@conexion.ca when my email address is in the conexion.ca domain. Fortunately, in Exchange Server, we can modify the Internet receive connector to block messages from your accepted domains. This means that emails with your domains as the From address will not be accepted from the Internet.

To block inbound messages from our own domain, we remove the extended AD permission ms-exch-smtp-accept-authoritative-domain-sender for the anonymous user on the Internet receive connector. Assuming that have already identified that connector, the following command removes the permission:
Get-ReceiveConnector "Internet" | Get-ADPermission -User "NT Authority\Anonymous Logon" | Where {$_.ExtendedRights -like "ms-exch-smtp-accept-authoritative-domain-sender"} | Remove-ADPermission
If you're like me and want to verify that you've got the right thing before you remove it, use the following command to verify first:
Get-ReceiveConnector "Internet" | Get-ADPermission -User "NT Authority\Anonymous Logon" | Where {$_.ExtendedRights -like "ms-exch-smtp-accept-authoritative-domain-sender"} | Format-List *
Before you actually implement this make sure that you don't have any applications or devices such as copiers that submit messages on the Internet connector:
  • I have seen copiers in small businesses configured to submit scanned documents via email through the SMTP relay of an ISP instead of the local Exchange server.
  • I have also seen external cloud-based applications sending messages to internal users using a from email address of the internal domain.
  • Also, sometimes Internal devices are configured with an IP address that uses the same receive connector as used for Internet mail reception. So, verify that the receive connector used for Internet messages does not allow internal IP addresses.
This permission exists for Exchange 2010, Exchange 2013, and Exchange 2016.

2 comments:

  1. Thanks Byron. I have been experiencing this problem and the emails contain malware (which forunately has been stripped by Exchange 2016). I still would rather not receive them though. I applied the command, with success

    ReplyDelete