[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Stoping malicious email sent from inside domain to outside using all in one server (HT-CAS-MBX) connected through non-windows Smarthost

Posted on 2009-04-23
9
Medium Priority
?
413 Views
Last Modified: 2013-11-30
Hi All,

When I do a simple test of telnet to my mail server, i just realize that it allows me to send email like this scenario:

from inside to outside: bill.gates@microsoft.com to myemail@live.com
from inside to inside: ceo@mydomain.com to myemail@domain.com (while sending in fake payrise email to myself :-| )

how to make the sen connector more secure by not allowing those attack ?

Any idea would be appreciated.

Thanks,
0
Comment
Question by:jjoz
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 7

Assisted Solution

by:Rammestein
Rammestein earned 400 total points
ID: 24222065
0
 
LVL 24

Accepted Solution

by:
Rajith Enchiparambil earned 1200 total points
ID: 24223547
Check the Exchange 2007 section.

http://www.amset.info/exchange/smtp-openrelay.asp

Rajith.
0
 
LVL 24

Assisted Solution

by:Rajith Enchiparambil
Rajith Enchiparambil earned 1200 total points
ID: 24223555
Alternatively, you can see whether your email server is an open relay by using this website.

http://www.mxtoolbox.com/diagnostic.aspx
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 1

Author Comment

by:jjoz
ID: 24224355
Rajith, thanks for the reply

from the test I've found that the reverse DNS is not correct

Reverse DNS FAILED!  This is a problem.

is there a way of how to fix this ?
0
 
LVL 1

Author Comment

by:jjoz
ID: 24224420
To Rammstein,

When i query the send queue using get-message I've found that the
MessageSourceName =  SMTP:Receive Connector
SourceIP = My Own Smarthost IP

I've created SPF for this cause and for the smtp authentication (Receive connector authentication)
  1. Transport Layer Security
  2. Basic Authentication
  3. Exchange Server authentication
  4. Integrated Windows authentication
  5. Externally Secured (for example, with IPsec).
all of them left unchecked.

I wonder what should i enabled / check on the EMC | Server Configuration | Hub Transport | Receive Connectors on both Authentication and Permission groups tab ?
0
 
LVL 65

Assisted Solution

by:Mestha
Mestha earned 400 total points
ID: 24225791
You cannot stop someone sending an email with the From address of anything you like to another address inside the network. If you could then you would be able to stop spam in its tracks.

However the first scenario of sending email from one address not on your network to another address not on your network should not be happening. That would indicate that your server is an open relay. It is quite hard to make the server in to an open relay, so do ensure that the check you have done actually does deliver the email.

Reverse DNS would have nothing to do with it, so that isn't a fix, but is something that you should check.

Simon.
0
 
LVL 1

Author Comment

by:jjoz
ID: 24235432
OK,

I just realized that using a transport rule is so powerful to stop mail relay attack,
see the attached rule that I've just created:

Cheers.


Internal SPAM prevention
 
 
Rule Comments: Spam relay attack rule.
 
Apply rule to messages
from users Outside the organization
   and sent to users Outside the organization
log an event with Spam Relay attack !
   and prepend the subject with [SPAM]: 
   and redirect the message to Administrator
#################################################
Summary: 1 item(s). 1 succeeded, 0 failed. 
Elapsed time: 00:00:00
 
 
Internal SPAM prevention
Completed
 
Exchange Management Shell command completed:
set-TransportRule -Name 'Internal SPAM prevention' -Comments 'Spam relay attack rule.' -Conditions 'Microsoft.Exchange.MessagingPolicies.Rules.Tasks.FromScopePredicate','Microsoft.Exchange.MessagingPolicies.Rules.Tasks.SentToScopePredicate' -Actions 'Microsoft.Exchange.MessagingPolicies.Rules.Tasks.LogEventAction','Microsoft.Exchange.MessagingPolicies.Rules.Tasks.PrependSubjectAction','Microsoft.Exchange.MessagingPolicies.Rules.Tasks.RedirectMessageAction' -Exceptions  -Identity 'Internal SPAM'
 
Elapsed Time: 00:00:00

Open in new window

0
 
LVL 7

Assisted Solution

by:Rammestein
Rammestein earned 400 total points
ID: 24238412
0
 
LVL 1

Author Closing Comment

by:jjoz
ID: 31574105
thanks for your suggestion guys !
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to effectively resolve the number one email related issue received by helpdesks.
Mailbox Corruption is a nightmare every Exchange DBA wishes he never has. Recovering from it can be super-hectic if not entirely futile. And though techniques like the New-MailboxRepairRequest cmdlet have been designed to help with fixing minor corr…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question