External user sending email On Behalf Of internal user

I'm a bit puzzled at how this is happening:

We have an external customer who is sending email FROM their email address, On Behalf of one of our internal email addresses. So, For example, let's say "Nick" is the external customer, "Todd" is internal employee, and "Greg" is an internal employee. Nick@external.com sent an email to Greg@internal.com On Behalf Of Todd@internal.com.

How in the world can Nick (Being an external customer) send email to a 3rd person, on behalf of one of our internal users???

I double checked the security tab in AD for our internal users and nothing seems out of place. We can only select from our GAL in Outlook for delegation, so I don't think the user was able to grant Nick send on Behalf permission.

Any thoughts?
WPI HelpAsked:
Who is Participating?
MesthaConnect With a Mentor Commented:
You can do that yourself.
Telnet to your server and do a regular Telnet test.
After you have put the DATA part in, enter

From: email@address

Putting another email address in there.
It will appear as on behalf of.

It is impossible. You can not do that except External domain and internal domain are trusted.
Nothing to do with permissions.
This can be easily done by false SMTP headers which are interpreted by Outlook as Send on Behalf of.
When it comes to email from outside you cannot trust the From headers. You can put anything you like in to them, as spammers well know.

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

WPI HelpAuthor Commented:
Right. That's my thoughts, but somehow this external user is sending email
From: Nick [Nick@external.com] On Behalf Of Todd@internal.com

On the incoming message header, it shows:
From: <Todd@internal.com>
Sender: "Nick" <nick@external.com>
To: <greg@internal.com>
I could send you an email that says From Steve Jobs on Behalf of Bill Gates if you like!

WPI HelpAuthor Commented:
I understand how spoofing works, I just find it REALLY hard to believe that a VP of construction is messing with SMTP headers.
I was explaining how it could be done. However that isn't to say that whatever email client is being used at the other end will create an email message that does the same thing.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.