[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1526
  • Last Modified:

Email Spoofing Exchange 2010

Hi All,

Currently I am experiencing major issues with SPAM or email spoofing rather, and I have spent numerous hours googling potential resolutions to this issue to no avail.

So far I have tried enabling the Sender ID on the edge transport server
creating SPF record for the affected domain
Installed and running GFI mail essentials on the Exchange 2010 server.
Disabled anonymous access/ closing the open relay even though MX toolbox advised that our server wasn't open relay.

I don't know what else I can do with this one and hoping you EE geniuses can assist further.

Any advise, tips  on how to combat this spoofing would be greatly appreciated.

Thanks in advance.
4 Solutions
I encountered the problem last week. In my case it seem that Sender from outside (214.x.x.x), connect directly to our Exchange server. So I would like to advice you:

1. Use message trancking log to identity the sender ID IP addresses and with which "Receive Connector" the email authenticated.

2. Check with log SMTP Receive (C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\ProtocolLog\SmtpReceive) to verify the smtp session occured.

3. If you have anti-spam(mail gateway), temporary block the spam mail

4. Identify port 25 open at your firewall? (my case)

5. To check for open relay use this:http://mxtoolbox.com/diagnostic.aspx

6. To check for black list:http://mxtoolbox.com/blacklists.aspx
Alan HardistyCommented:
Please describe the problem more (not what you have tried) and then we might be able to help you.

What exactly is the problem?

Please also describe your email delivery path e.g., internet -> Firewall -> Exchange Server or

Internet -> 3rd Party Spam Filtering Service -> Firewall -> Exchange Server

Many thanks

Neil RussellTechnical Development LeadCommented:
As Alan says, we really need more info on what the actual issue is.

When you talk about email spoofing, are you talking about email that is recieved by your own internal staff on your domain seeming to originate from other email addresses inside your domain but you know did not?
Are you talking about emails recieved by OUTSIDE organisations that Apears to come from inside your organisation but you are sure did not?

The track to take is very very different depending on your problem.
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Svet PaperovIT ManagerCommented:
Use external, hosted filtering solution instead of one on your local servers. It will eliminate most f the junk before even reaching your system.

I had a similar issue couple of years ago and I fixed it by redirecting all incoming e-mail via Google Postini Services. I don't want to make free ads for them but it was very simple to set it up and works perfectly well almost all of the time (some short periods of passing new spam before self-adjusting). If you are familiar with GFI they also have a hosted anti-spam.

Before, 95% of the incoming messages were spam and I had to constantly adjust the filters on our mail server to keep the users not very frustrated with the spam. Now, everybody is happy. For the prise of those solutions (1$ a month per user) it's worth it.
If the legitimate traffic on the server isn't too busy, maybe turn on reverse DNS lookups on the Edge servers, prevent spoofing on the internal domain.

Ref: http://technet.microsoft.com/en-us/library/bb124512.aspx
Adma1Author Commented:
Spoofing seemed to decrease after creating the SPF records will, I am in the process of evaluating google postini as an extra measure.
Svet PaperovIT ManagerCommented:
I will have to revise my recommendation about Google Postini. They just announced some comming changes and migration towards Google business apps that we don't like and we will have to find a new provider. They are dumping the quarantine web management tool for the end user and the spooler.

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now