[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Exhange spoofing of server behiind firewall.

Posted on 2007-07-25
8
Medium Priority
?
152 Views
Last Modified: 2010-04-11
I'm running an exchange server and hosting e-mail on a server via a port redirect on the router. The MX records point at the public IP of the router.
I'm getting some, not many but still some NDR's from remote servers telling me that the mail was not delivered. Of course the e-mail did not originate from my users or server. I have eliminated the possibility of a mail bot on the users computer and believe it to be a domain spoofer.

What would be the suggested action to take, to protect from domain spoofing if my server is not authoritative to the domain it is sending email from?
0
Comment
Question by:GPadmin
7 Comments
 
LVL 9

Expert Comment

by:Rurne
ID: 19569188
If it's not originating on your server, you really can't.  Based on the SMTP rulesets, the systems you're receiving bounces from may/may not do IP lookups on HELO/EHLO and MAIL FROM: commands.  If they're vanilla deployments (especially of the postfix/sendmail/qmail variety), they don't bother checking at all, so someone could claim to be supertrustablemegauser_goodguy57@gpadminsdomain.com, and you'd never know it until the bounce came back from specifying a nonexistent account on RCPT TO:.

As long as this isn't a mailbot within your network, you should be okay.  Rarely do domains get abused like that to the point of getting RBL'ed, unless you've actively irritated a spammer.
0
 
LVL 28

Expert Comment

by:peakpeak
ID: 19569332
We get NDR's all the time, some are rough spam (as NDR's mostly passes through filters). That's the world we built and we have to live with it. Any spammer (anyone) can put your address as the reply address in any message.
0
 
LVL 12

Accepted Solution

by:
NetAdmin2436 earned 375 total points
ID: 19569370
There's not much you can really do about it. What you are refering to is called 'backscatter'. Basically a spammer sends out spam to bogus@companyA.com with a spoofed address pointing back to you. The email server at companyA sends out a NDR to you. (if the admin was good, he would disable NDR)
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_22116577.html?sfQueryTermInfo=1+backscatt+ndr
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_22520233.html?sfQueryTermInfo=1+backscatt

You can be a good neighbor and prevent YOUR server from doing this to others, but not vice versa.

Hope this helps
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 28

Expert Comment

by:peakpeak
ID: 19569498
Good Behaviour: On an Exchange Server, enable Recipient Filtering and turn on the Tarpit Feature
0
 
LVL 9

Expert Comment

by:Rurne
ID: 19569555
Be careful about blocking backscatter from your machine.  You'll probably get nailed to the wall for violation of RFC 3461 and 2821 if rfc-ignorant catches on.
0
 
LVL 28

Expert Comment

by:peakpeak
ID: 19569658
Recipient filtering will disable the NDR, handling the communication on a SMTP level and thus evading the need for sending an NDR as the message did not reach the mail server. It's Brilliant. Combined with the Tarpit Feature we're not ahead of the spammers but at least saying No !
0
 

Author Comment

by:GPadmin
ID: 19619201
I will look into this and see what happens, thanks
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
Mailbox Corruption is a nightmare every Exchange DBA wishes he never has. Recovering from it can be super-hectic if not entirely futile. And though techniques like the New-MailboxRepairRequest cmdlet have been designed to help with fixing minor corr…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question