Link to home
Create AccountLog in
Avatar of rpmahony
rpmahonyFlag for United States of America

asked on

Outlook For Mac 2011 Spoof From Address

I discovered something disconcerting after one of those "Oops" moments.  UserA was replying to an email and accidentally changed the From field to UserB before clicking Send.  A funny thing happened...  the message was sent, apparently from UserB.  The problem?  UserA does NOT have Send as or full access to UserB's mailbox, only read access to the calendar folder (which is why Outlook for Mac decided to put the name in the drop-down list for the From field, apparently).  When I look at the message header, here's what I see:

From: User Bravo (userb@domain.com)
Sender: User Alpha (usera@domain.com)

What the ....?  So Outlook for Mac will allow the message to be sent with a "spoofed" sender in the From field and Exchange 2010 will deliver it?!

Has anyone encountered this obvious flaw and is there a fix that I'm missing?  My Google Fu is weak today as I can't figure out the right search terms to find this one.

Thanks in advance.
Rusty
Avatar of Guy Lidbetter
Guy Lidbetter
Flag of United Kingdom of Great Britain and Northern Ireland image

I am assuming if they have calendar management they may also have "Send on Behalf of" rights...

Outlook for Mac does not decide whether a mail can be sent or not, that's exchange's job. If UserA is not allowed to send, they would get an NDR once the mail was picked up in the queue. Have another  look at the mailbox permissions again and make sure that "Send on Behalf of" isn't set.

regards

Guy
Avatar of rpmahony

ASKER

Send on behalf is blank in EMC for UserB.  I tested with my account as UserC and UserD and was also able to send the message.  Again, I don't have access to UserD's mailbox other than read-only on the Calendar.  I checked Send on behalf and UserD has no one configured.  I'm almost certain neither UserB nor UserD has any delegates setup (because neither of them asked me how to configure delegates).  I'm stumped thus far...

Thanks for the input, Guy.
No problems :-)

Run "get-mailboxpermission UserB" and see if there are any odd accounts or groups listed with access rights in there.
Ah.  Could this be the culprit?

RunspaceId      : 8e9a5bdb-d572-4738-95be-b428a1988f4e
AccessRights    : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
Deny            : False
InheritanceType : All
User            : DOMAIN\Domain Admins
Identity        : domain.local/Company/User Bravo
IsInherited     : True
IsValid         : True
ObjectState     : Unchanged

Both UserA and myself were members of Domain Admins.  I have removed UserA from the group and will test in a few.  Is the above a default permission with Ex2010?  Is it necessary when all of the Exchange security groups are assigned similar permissions as well?  I don't recall adding this setting but my predecessor certainly may have...
ASKER CERTIFIED SOLUTION
Avatar of Guy Lidbetter
Guy Lidbetter
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
The calendar read permission was set using PowerShell, granting everyone read-only access to everyone else's calendar.  Not exactly a delegation, but would that also conform to the above?  What a wacky hierarchy IMO.
Removing UserA from the Domain Admins did indeed deny access to send as or on behalf.  After removing group membership, an attempt to change the From field resulted in Outlook throwing an "Access denied" error.

Thanks for the assist, Guy.  And thanks again EE!