How can I combat mail spoofing? : Microsoft, exchange

May 17, 2008 08:48am pdt

1. Sembee 68,650
2. kieran_b 49,877
3. peakpeak 24,375
4. mass2612 23,650
5. Chris-Dent 21,300
6. war1 20,025
7. Richard_... 19,189
8. mattee76 15,800
9. Network_... 15,400
10. abhaigh 13,220
11. mihapi 12,845
12. Paka 12,421
13. LeeDerby... 12,050
14. tigermatt 11,900
15. isaman07 11,750

1. Sembee 341,527
2. kieran_b 49,877
3. war1 44,686
4. mass2612 36,650
5. Chris-Dent 33,362
6. darkstar3d 33,275
7. ATIG 32,075
8. peakpeak 29,775
9. tigermatt 29,300
10. rid 27,920
11. TechSoEasy 27,410
12. LeeDerby... 26,000
13. grblades 25,375
14. redseate... 23,509
15. Richard_... 19,189

05.08.2008 at 02:03PM PDT, ID: 23387692

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

7.4

How can I combat mail spoofing?

Zones: Anti-Spam Email Software, Email Servers, Simple Mail Transfer Protocol (SMTP)

Tags: Microsoft, exchange

How can I combat mail spoofing? I work with a number of different cleints and many of them have been reporting that they are recieving NDR's for messages they did not send. It seems like this has increased dramatically over the last two months from over 7 different cleints who's small domains I manage.

I know I can block the NDR domain wide, but then they won't get an NDR if they mistype someone's name, or there is a real communication problem going on.

I have two questions.
1. Can any harm come from spammers spoofing my cleints addresses? Can an ISP block my domain if enough spam comes from a spoofer? (I have Reverse PTR's set up, which is likley why the mail is being blocked when it's deliverd)

2. Can I block the NDR's that are returned from spoofed email, while letting NDR's through when one of my users makes a real mistake in typing

thanks for the help

I'm attaching a message that was sent to my by a cleint. He said he never sent a message to the original recipient

David

-----Original Message-----
From:       Mail Delivery System [mailto:Mailer-Daemon@perfora.net]
Sent:      Friday, April 18, 2008 05:03 AM Pacific Standard Time
To:      Edward Smith
Subject:      Mail delivery failed: returning message to sender

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following addresses
failed:

quota exceeded:
info@HabanosyHermanos.com

-----------------------------------------------------------------

Received: from steyer-mail-02.Internal.Steyerlaw.Com (mail.steyerlaw.com [66.92.190.101])
      by mx.perfora.net (node=mxus4) with ESMTP (Nemesis)
      id 0MKojg-1JmpJ03pJB-0000w5 for info@HabanosyHermanos.com; Fri, 18 Apr 2008 08:03:15 -0400
Subject: Out of Office AutoReply: H & H - The perfect present
Date: Fri, 18 Apr 2008 05:03:04 -0700
MIME-Version: 1.0
Content-Type: text/plain;
      charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Message-ID: <2FA588293718704CA4E3C64C19F51764030C74@steyer-mail-02.Internal.Steyerlaw.Com>
X-MS-Has-Attach:
Content-class: urn:content-classes:message
X-MS-TNEF-Correlator:
X-MimeOLE: Produced By Microsoft Exchange V6.5
Thread-Topic: H & H - The perfect present
Thread-Index: AcihTCgTYAv2FRkURBO01MmI5eQL3gAAAArg
From: "Edward Smith" <XXXXXXXX@steyerlaw.com>
To: "H and H Notifier" <info@HabanosyHermanos.com>

-----------------------------------------------------------------

Start your free trial to view this solution

Question Stats

Zone: Networking

Question Asked By: dladowitz

Solution Provided By: PsiCop

Participating Experts: 2

Solution Grade: A

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
New Net Users
New Users

Software
Digital Music
Gaming World

Home Security
Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Handhelds / PDAs
Displays / Monitors
Components
Networking Hardware

Peripherals
Laptops/Notebooks
Storage
Servers

Desktops
New Users
Misc
Apple

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMWare
Misc
Web Development

OS
CYGWIN
Voice Recognition
Message Queue
Quality Assurance
Security
Firewalls
MultiMedia Applications

Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals

Devices
Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
WebApplications
IDS
Vulnerabilities
Email Clients

File Sharing
Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMWare

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel

Algorithms
Game
Signal Processing
Project Management
Open Source

Database
Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Images

Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration
WebApplications

Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Broadband

Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Community Advisor
Lounge
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles

Community Support

Suggestions
New to EE
New Topics
Community Advisor

CleanUp
Announcements
General

Feedback
Input
EE Bugs

05.08.2008 at 04:13PM PDT, ID: 21529223

PsiCop:

Short Answer: You can't.

Long Answers:

"1. Can any harm come from spammers spoofing my cleints addresses?"

Yes, some E-Mail systems may decide to block E-Mail from your Domain, and not take the time to determine that it was a spoof.

"Can an ISP block my domain if enough spam comes from a spoofer?"

Sure. An ISP can block E-Mail from your Domain for any reason. Nothing forces anyone to accept E-Mail from a given Domain.

"(I have Reverse PTR's set up, which is likley why the mail is being blocked when it's deliverd)"

Probably your PTRs are having no effect, because the E-Mail systems accepting the spoofed messages aren't checking for spoofing to begin with.

"2. Can I block the NDR's that are returned from spoofed email, while letting NDR's through when one of my users makes a real mistake in typing"

That depends entirely on your E-Mail infrastructure (which you haven't described), how adaptable it is and how much work you want to put into the task.

To effectively do what you suggest (accept NDRs only for E-Mail you system has actually sent), you're going to have to implement some sort of system by which your MTA keeps track of all outgoing E-Mail, and when an NDR arrives, either matches it to a record of an E-Mail that was sent, or discards it.

Entirely possible.... Whether or not you want to put the effort into it is a wholly different question.

Accepted Solution

05.08.2008 at 04:20PM PDT, ID: 21529261

dladowitz:

thanks for your response.
We are using Exchange 2003 SP2 in all domains. Likley the clients would pay for 1-2 hrs worth of work.
It's interesting no one has come up with a solution to combat spoofing, especially as a paid product or service. Maybe it's just a matter of time, like when spammers first started there was no way to stop them until antispam software was created. Seems like a good area for a strong email administrator to think up a product.

05.09.2008 at 04:36PM PDT, ID: 21537112

PsiCop:

"like when spammers first started there was no way to stop them until antispam software was created."

Anti-SPAM still doesn't stop spammers. Never has, never will. What it can do, with varying amounts of success, is stop them from actually reaching the users served by the mail system.

Good luck on customizing exchange.

05.10.2008 at 12:04AM PDT, ID: 21538093

fhmc:

a solution has been defined to combat spoofing... it is not a standard yet, but I suspect it may very well be soon (that, or some varient will be.)

look into SPF records. I have defined them for all of my domains. I don't expect them to do much for me right now, but they offer a certain level of promise for the future... especially if the process (err... WHEN such a process) finally becomes mainstream.

in short... a SPF record defines which hosts and IP's are approved by YOU to send mail for your domain... e.g. if johnny spamman tries to deliver a email to victim@someisp.com from his laptop... someisp.com will look up your SPF record and determine that his laptop is not an authorized mail server for your domain and deny the message.

05.10.2008 at 09:51AM PDT, ID: 21539618

PsiCop:

SPF records do *NOT* stop spoofing.

SPF records have NO EFFECT *unless* a receiving mailhost checks *and* honors the information in the SPF record.

There is nothing that forces any specific receiving mailhost to check for SPF records, or honor the information in the way the SPF record creator intended.

SPF records also do not necessarily combat inclusion of spoofed E-Mail addresses in Reply-To: headers.

I'm not saying that the Asker shouldn't set up an SPF record. Just understand the limitations. It won't magically put an end to spoofing.

05.10.2008 at 10:36AM PDT, ID: 21539760

fhmc:

Thank you for the additional feedback PsiCop... Clearly the first two paragraphs of my original post didn't make this point clear enough.

a solution has been defined to combat spoofing... it is not a standard yet, but I suspect it may very well be soon (that, or some varient will be.)

look into SPF records. I have defined them for all of my domains. I don't expect them to do much for me right now, but they offer a certain level of promise for the future... especially if the process (err... WHEN such a process) finally becomes mainstream.

20080236-EE-VQP-29 / EE_QW_2_20070628