We help IT Professionals succeed at work.

How to Refuse Relay through Exchange 5.5 SP4...

jccarter
jccarter asked
on
We have Exchange 5.5 SP4 on WinNT 4ith all patches current. I have relaying mail shut off in the IMS properties.

I need to find a way to shut off the local domain from sending in. We have a "hacker" on staff who periodically breaks in to expose vulnerabilities. Recently, he was able to send mail from outside to an address inside and make it look as though it came from inside.

Example: Our domain is aaa.com. From bbb.com he was able to send a message from user@aaa.com to user@aaa.com.

Here is an example of the Internet header info:

Received: from (outside server)([xxx.xxx.xxx.xxx]) by emailserver.aaa.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id S7Q2SNL4; Mon, 17 Sep 2001 18:26:36 -0400
From:User<User@aaa.com>
To:User<User@aaa.com>
sent:01/01/01
Subject:Fake email

----------------------------------------------------------

How do I prevent this? Can I prevent aaa.com from being accepted as a from address for external email?

Comment
Watch Question

mikecrIT Architect/Technology Delivery Manager
BRONZE EXPERT

Commented:
All he needs is an smtp server to do this. Even IIS supports an SMTP add on. All you have to do is create a basic email with a from line from whereever and drop it in the pickup directory on the mail server or IIS SMTP server, and it will send it on it's merry way. To get around this, disable any SMTP servers that you have running on any box other than Exchange. Once you have done that, you will want to set up Outbound security on the SMTP server to request authorization before sending instead of being anonymous access. I will research this some more for you also.

Author

Commented:
I'm not sure you understand.

I want:

1) to prevent any email from outside my network (Internet users) from being sent through my email server.

2) to prevent any user outside my network to send email to my email server that has our domain (user@aaa.com).

Commented:
That's an interesting problem. There isn't a way configure Exchange 5.5 so that it will reject all inbound SMTP mail from a particular sender (in this case a spoofed address).

You could use something like Trend's Virus Wall to do that. You configure your MX record to send all inbound SMTP mail to that server first. It scans all mail for viruses, content and particular users. Then it sends on the "clean" mail to the Exchange Server's Internet Mail connector. It wouldn't be asked to process any mail that stays in your Exchange system since that mail (internal mail) wouldn't leave the Exchange system.

...and tell your "staff hacker" to get a life! spoofing an SMTP address is EASY--he don't got no special skeelz.

Commented:
You're essentialy going to have to 'break' your Exchange IMS to support the configuration described above.

You need to allow your IMS to re-route inbound mail or POP3/IMAP clients will be unable to receive mail.

You'd need an intelligent SMTP proxy to prevent someone from spoofing mail in this manner - either to prevent people sending mail via telnet or to examine SMTP packets and drop packets purporting to be from inside your organisation arriving at an external interface.

Obviously, whilst I'd hope you have a firewall in place, these don't always have SMTP proxy capabilities and it seems like a lot of additional expense due to one 'hacker' if you could even call them that.

Why don't you beat him at his own game.  Examine the mail header of one of his inbound messages, work out the IP address he is sending as and shop him to his ISP.

Author

Commented:
If the product won't do it find another. Thanks, Xeaza.

Commented:
Thanks!

Explore More ContentExplore courses, solutions, and other research materials related to this topic.