[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1702
  • Last Modified:

Internal domain spoofing

Hello,
We are having a problem with email spoofs that are coming from addresses that do not exist but are using our domain.  For example we are getting 'fakeemail@abc.com' being sent to 'legitemail@abc.com'.  All of my spam filters are on and we are using Trend Scanmail.  Anything I can configure in Exchange to stop these?  We are using Exchange 2007 SP1.
Thanks,
0
pphilippides
Asked:
pphilippides
  • 13
  • 12
1 Solution
 
Alan HardistyCommented:
Has you domain got an SPF record setup?
http://www.mxtoolbox.com/spf.aspx
If not, please set one up by following this wizard and adding a TXT record to your domains DNS records:
http://old.openspf.org/wizard.html 
Are you using Sender ID filtering to filter your mail?
http://technet.microsoft.com/en-us/magazine/2006.12.sidf.aspx?pr=blog
http://technet.microsoft.com/en-us/library/bb123557(EXCHG.80).aspx 
0
 
pphilippidesAuthor Commented:
Hi alanhardisty,
Thanks for the response.
I used the Microsoft wizard to create an SPF record already
We are using Sender ID filtering currently but it hasnt' helped
0
 
Alan HardistyCommented:
If you have an SPF record and are performing Sender ID fitlering, then it is not working properly, or your SPF record is setup incorrectly!
Have you got Exchange 2007 SP1 Rollup 9 Installed, or Exchange 2007 Service Pack 2 yet?  Always pays to be up-to-date.
Are you using a Small Business Server?
If you are up-to-date and you have setup your SPF record properly, I would recommend you seriously consider installing a trial of Vamsoft ORF ($239 per server) 4Mb in size, very powerful and great at getting rid of spam, including this type of spam - www.vamsoft.com.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
pphilippidesAuthor Commented:
Ok I just ran the wizard from the site you sent - I believe it may be this that is causing it? Here is what i have:

v=spf1 mx ptr mx:ex01.mydomain.com ip4:123.34.456.789 -all

According to the wizard the ptr in the record will allow messages from any senders with our domain name?

We are a little behind on the updates though but I dont think the ID filtering ever worked - in any case we are going to schedule an updates soon

This software looks interesting. You have used it yourself? Can it coexist with other Antispam programs, for example Trend Micro Scanmail?
0
 
Alan HardistyCommented:
Yes, the PTR is not a good item to have in your SPF record, so please get rid of it.
You can test your spf record here:
http://www.kitterman.com/spf/validate.html 
0
 
Alan HardistyCommented:
In terms of Vamsoft - Yes I do use it and it is (IMHO) brilliant.  It should not be used in conjunction with any other software.
0
 
pphilippidesAuthor Commented:
Thanks, I will try removing the ptr and will look into the Vamsoft solution.

Cheers
0
 
Alan HardistyCommented:
If you get stuck with Vamsoft, please let me know.
0
 
pphilippidesAuthor Commented:
Hi alanhardisty,

I am preparing to install ORF on our Exchange 2007 server - any tips for migrating over from another Anti-Spam software?  I know there is an initial configuration wizard upon first install but I would like to configure ORF alongside our current Anti-Spam software (with the services diabled) and then bring up ORF and the other solution down.  Is this possible?

Thanks,
Phil
0
 
Alan HardistyCommented:
Hi Phil,
You can install Vamsoft along-side your current system as far as I am aware.  Once installed, it has to be configured and you can just set it up to log, not actually reject.  Then when you are reasy to turn it on, you disable the test option and disable the other and you should be okay.
I have not actually tried this so cannot confirm one way or another, but I would think it was possible.
EE has a Vamsoft Employee as an Expert, so he may be able to advise better.  If only I could remember his name!
I'll do some digging.
 
0
 
Alan HardistyCommented:
0
 
pphilippidesAuthor Commented:
Thanks alanhardisty, if I run into trouble, I will post a question on one of his threads.  I appreciate all of your help!
0
 
pphilippidesAuthor Commented:
Hi alanhardisty,
In the documentation it says to only use 3 -5 DNS blacklists - are there any blacklists you have been more successful with?  So far I find the configuration quite straight-forward, but any tips you have configuration-wise?
Thanks a bunch,
Philip
0
 
pphilippidesAuthor Commented:
Oh actually I just found the statistics link on the Vamsoft website - guess I will just choose the top 3 for now...
0
 
Alan HardistyCommented:
Barracuda works very well for me.
0
 
pphilippidesAuthor Commented:
Ok great, any other configuration options you found useful that are not set up by default?  I am trying to wrap my head around running this in logging mode, as if I run it alongside of my current Anti-Spam solution, most spam will be stripped before ORF gets the chance.  On the other hand, if I disable my current solution and enable ORF, we may get killed with spam... any suggestions or should I maybe contact the ORF expert you recommended?
Thanks
0
 
Alan HardistyCommented:
To be honest - I would just go with ORF.  I stripped out my Symantec Mail Security, went straight to Vamsoft and have never looked back.
Every server's spam load is different so what works for me may not work for you.
I am using pretty much every test except DNS Whitelist, Recipient Blacklist, Attachment Filtering and External Agents.  I did setup a custom Country Blacklist too as the only mail I get from places like Brazil, Czech Republic, China etc are spam, so that list blocks all mail from my chosen countries regardless.
Honeypots have also been setup (once I reviewed the logs for Invalid recipients and detemined the addresses constantly being tried).  For a new customer with 1 email address, I setup about 30 Honeypot addresses.  In the last month, I have stopped 100,915 emails via the HoneyPot list out of 109,547 emails, just for this customer!
0
 
pphilippidesAuthor Commented:
Just a quick question, am I pointing ORF to my internal DNS servers or my external facing DNS servers? Right now we have recursive lookups disabled on the external DNS servers due to security so I am not certain how this is going to work...
0
 
Alan HardistyCommented:
Point them to your internal ones.  Your internal ones will (should) forward to the external ones.
0
 
pphilippidesAuthor Commented:
Ok thats what I thought - thanks!
0
 
Alan HardistyCommented:
No probs.
0
 
pphilippidesAuthor Commented:
I just wanted to say, we have implemented ORF and it is fantastic!  Our spam went from an average of 20 a day for some users to 0.  Thanks a lot for your help!

I am just wondering, in your experience do you use the Exchange spam filters in addition to ORF?  I am finding that a lot of false positives are being generated from the Exchange filters and I am considering turning them off.
0
 
Alan HardistyCommented:
Personally I noticed a similar dop thanks to ORF.  Gotta love it!
I have not used any Exchange anti-spam filters and rely solely on ORF as it does a darned good job on it's own.  Sure, there are a few complaints that mail is not getting through, but they are from people whose mailservers are not setup properly, are blacklisted or don't have their DNS / SPF etc configured correctly.  My solution is to advise them what the problem is (they will get this in the rejection message too - but most people don't read those) and ask them to correct it, then the mail will sail through.
$239 well spent?  I think so.
0
 
pphilippidesAuthor Commented:
Hmm I think I will try disabling them for a time then and see what happens.  I think they have given us more grief than anything.

It's almost a lose-lose battle with spam isn't it?  On one hand if you are letting too much spam in but all legitimate email is getting through, you get complaints.  On the other hand, you tighten up your security and the occasional email getting stripped becomes a big issue... Email Administration = Headache!!

$2399 would have even been worth it!  Just don't tell them though :P
0
 
Alan HardistyCommented:
Yes - spam is a pain in the butt.  Reject a mail and people complain, allow spam through and people complain.
Had a customer who complained about an email getting rejected, so he asked if his account could not be spam filtered.  I checked to make sure he had not been recently released from hospital and then opened up his account.  The next day I got another phone call and his spam settings were put back on again!
It's a cat and mouse game and one that has no end in sight.
I'll keep your last comment quiet ;-)
 
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

  • 13
  • 12
Tackle projects and never again get stuck behind a technical roadblock.
Join Now