Email Spoofing Exchange 2010

Posted on 2012-09-03
Last Modified: 2012-10-16
Hi All,

Currently I am experiencing major issues with SPAM or email spoofing rather, and I have spent numerous hours googling potential resolutions to this issue to no avail.

So far I have tried enabling the Sender ID on the edge transport server
creating SPF record for the affected domain
Installed and running GFI mail essentials on the Exchange 2010 server.
Disabled anonymous access/ closing the open relay even though MX toolbox advised that our server wasn't open relay.

I don't know what else I can do with this one and hoping you EE geniuses can assist further.

Any advise, tips  on how to combat this spoofing would be greatly appreciated.

Thanks in advance.
Question by:Adma1
    LVL 18

    Assisted Solution

    I encountered the problem last week. In my case it seem that Sender from outside (214.x.x.x), connect directly to our Exchange server. So I would like to advice you:

    1. Use message trancking log to identity the sender ID IP addresses and with which "Receive Connector" the email authenticated.

    2. Check with log SMTP Receive (C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\ProtocolLog\SmtpReceive) to verify the smtp session occured.

    3. If you have anti-spam(mail gateway), temporary block the spam mail

    4. Identify port 25 open at your firewall? (my case)

    5. To check for open relay use this:

    6. To check for black list:
    LVL 76

    Expert Comment

    by:Alan Hardisty
    Please describe the problem more (not what you have tried) and then we might be able to help you.

    What exactly is the problem?

    Please also describe your email delivery path e.g., internet -> Firewall -> Exchange Server or

    Internet -> 3rd Party Spam Filtering Service -> Firewall -> Exchange Server

    Many thanks

    LVL 37

    Expert Comment

    As Alan says, we really need more info on what the actual issue is.

    When you talk about email spoofing, are you talking about email that is recieved by your own internal staff on your domain seeming to originate from other email addresses inside your domain but you know did not?
    Are you talking about emails recieved by OUTSIDE organisations that Apears to come from inside your organisation but you are sure did not?

    The track to take is very very different depending on your problem.
    LVL 19

    Assisted Solution

    by:Miguel Angel Perez Muñoz
    LVL 20

    Assisted Solution

    by:Svet Paperov
    Use external, hosted filtering solution instead of one on your local servers. It will eliminate most f the junk before even reaching your system.

    I had a similar issue couple of years ago and I fixed it by redirecting all incoming e-mail via Google Postini Services. I don't want to make free ads for them but it was very simple to set it up and works perfectly well almost all of the time (some short periods of passing new spam before self-adjusting). If you are familiar with GFI they also have a hosted anti-spam.

    Before, 95% of the incoming messages were spam and I had to constantly adjust the filters on our mail server to keep the users not very frustrated with the spam. Now, everybody is happy. For the prise of those solutions (1$ a month per user) it's worth it.
    LVL 3

    Expert Comment

    If the legitimate traffic on the server isn't too busy, maybe turn on reverse DNS lookups on the Edge servers, prevent spoofing on the internal domain.


    Author Comment

    Spoofing seemed to decrease after creating the SPF records will, I am in the process of evaluating google postini as an extra measure.
    LVL 20

    Accepted Solution

    I will have to revise my recommendation about Google Postini. They just announced some comming changes and migration towards Google business apps that we don't like and we will have to find a new provider. They are dumping the quarantine web management tool for the end user and the spooler.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
    Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
    In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
    The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now