Link to home
Start Free TrialLog in
Avatar of GPadmin
GPadmin

asked on

Exhange spoofing of server behiind firewall.

I'm running an exchange server and hosting e-mail on a server via a port redirect on the router. The MX records point at the public IP of the router.
I'm getting some, not many but still some NDR's from remote servers telling me that the mail was not delivered. Of course the e-mail did not originate from my users or server. I have eliminated the possibility of a mail bot on the users computer and believe it to be a domain spoofer.

What would be the suggested action to take, to protect from domain spoofing if my server is not authoritative to the domain it is sending email from?
Avatar of Rurne
Rurne
Flag of United States of America image
If it's not originating on your server, you really can't.  Based on the SMTP rulesets, the systems you're receiving bounces from may/may not do IP lookups on HELO/EHLO and MAIL FROM: commands.  If they're vanilla deployments (especially of the postfix/sendmail/qmail variety), they don't bother checking at all, so someone could claim to be supertrustablemegauser_goodguy57@gpadminsdomain.com, and you'd never know it until the bounce came back from specifying a nonexistent account on RCPT TO:.

As long as this isn't a mailbot within your network, you should be okay.  Rarely do domains get abused like that to the point of getting RBL'ed, unless you've actively irritated a spammer.
Avatar of peakpeak
peakpeak
Flag of Sweden image
We get NDR's all the time, some are rough spam (as NDR's mostly passes through filters). That's the world we built and we have to live with it. Any spammer (anyone) can put your address as the reply address in any message.
ASKER CERTIFIED SOLUTION
Avatar of NetAdmin2436
NetAdmin2436
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of peakpeak
peakpeak
Flag of Sweden image
Good Behaviour: On an Exchange Server, enable Recipient Filtering and turn on the Tarpit Feature
Avatar of Rurne
Rurne
Flag of United States of America image
Be careful about blocking backscatter from your machine.  You'll probably get nailed to the wall for violation of RFC 3461 and 2821 if rfc-ignorant catches on.
Avatar of peakpeak
peakpeak
Flag of Sweden image
Recipient filtering will disable the NDR, handling the communication on a SMTP level and thus evading the need for sending an NDR as the message did not reach the mail server. It's Brilliant. Combined with the Tarpit Feature we're not ahead of the spammers but at least saying No !
Avatar of GPadmin
GPadmin

ASKER

I will look into this and see what happens, thanks