Prevent spoofing of internal domain

Posted on 2014-10-05
Last Modified: 2016-06-14
Is there anything internally on the Exchange side that I can do to prevent the spoofing of our internal mail domain.  We have been getting some emails appearing to come form internal users to other internal users.  Upon inspection of the suspicion email the mail from looks legitimate but the but the actually reply address and return path are external internet addresses.

Is there a setting on the receive connector I can use to prevent this?  Should annoymous but allowed or disallowed on the receive connectors for example?
Question by:georgedschneider
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2

Expert Comment

ID: 40362077
You want to be careful not to remove anonymous from all of your receive connectors lest you stop getting any outside mail at all. What you probably want to do is make sure you have set up an SPF record for your domain and have some type of anti-spam solution in place. This article right from this site should help.
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40362364
What are you using for message hygiene? A lot of appliances and cloud providers will reject any messages claiming to be from the internal domain but coming from an external source.

As Tshearon pointed out an SPF record can help as well.

Author Comment

ID: 40364352
Couldn't you use something similar to the following which will remove rights to the anonymous user on the the receive connector to prevent spoofing of the internal domain coming form the outside:

Get-ReceiveConnector “Inbound Email” | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | Remove-ADPermission
Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!


Author Comment

ID: 40364366
To answer the previous question I'm using Exchange Online Protection for message hygiene currently.
LVL 31

Accepted Solution

Gareth Gudger earned 500 total points
ID: 40364371
Get-ReceiveConnector “Inbound Email” | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | Remove-ADPermission

I have seen this documented a lot out there but never used it. The big question is why is Exchange Online Protection allowing the domain spoofing through. Never seen that on any of my EOP clients. Have you placed a ticket with EOP?

Also, make sure you are only accepting mail from EOPs IPs.

Author Comment

ID: 40374006
Let me reach out to EOP to see why this got past.  I agree this shouldn't have happened.

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
This video discusses moving either the default database or any database to a new volume.
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to:…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question