Outlook For Mac 2011 Spoof From Address

I discovered something disconcerting after one of those "Oops" moments.  UserA was replying to an email and accidentally changed the From field to UserB before clicking Send.  A funny thing happened...  the message was sent, apparently from UserB.  The problem?  UserA does NOT have Send as or full access to UserB's mailbox, only read access to the calendar folder (which is why Outlook for Mac decided to put the name in the drop-down list for the From field, apparently).  When I look at the message header, here's what I see:

From: User Bravo (userb@domain.com)
Sender: User Alpha (usera@domain.com)

What the ....?  So Outlook for Mac will allow the message to be sent with a "spoofed" sender in the From field and Exchange 2010 will deliver it?!

Has anyone encountered this obvious flaw and is there a fix that I'm missing?  My Google Fu is weak today as I can't figure out the right search terms to find this one.

Thanks in advance.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Guy LidbetterCommented:
I am assuming if they have calendar management they may also have "Send on Behalf of" rights...

Outlook for Mac does not decide whether a mail can be sent or not, that's exchange's job. If UserA is not allowed to send, they would get an NDR once the mail was picked up in the queue. Have another  look at the mailbox permissions again and make sure that "Send on Behalf of" isn't set.


rpmahonyAuthor Commented:
Send on behalf is blank in EMC for UserB.  I tested with my account as UserC and UserD and was also able to send the message.  Again, I don't have access to UserD's mailbox other than read-only on the Calendar.  I checked Send on behalf and UserD has no one configured.  I'm almost certain neither UserB nor UserD has any delegates setup (because neither of them asked me how to configure delegates).  I'm stumped thus far...

Thanks for the input, Guy.
Guy LidbetterCommented:
No problems :-)

Run "get-mailboxpermission UserB" and see if there are any odd accounts or groups listed with access rights in there.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

rpmahonyAuthor Commented:
Ah.  Could this be the culprit?

RunspaceId      : 8e9a5bdb-d572-4738-95be-b428a1988f4e
AccessRights    : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
Deny            : False
InheritanceType : All
User            : DOMAIN\Domain Admins
Identity        : domain.local/Company/User Bravo
IsInherited     : True
IsValid         : True
ObjectState     : Unchanged

Both UserA and myself were members of Domain Admins.  I have removed UserA from the group and will test in a few.  Is the above a default permission with Ex2010?  Is it necessary when all of the Exchange security groups are assigned similar permissions as well?  I don't recall adding this setting but my predecessor certainly may have...
Guy LidbetterCommented:
Domain Admins have full access to the AD infrastructure\configuration partition so is a default permission.
This however should not give "Send AS" or "Send on Behalf of" permissions. These are usually explicit... in saying that...

A Delegate of UserB, that also has "Full Access", by proxy also has "Send As" rights, and won't appear in the Send As field as a result...

You stated that UserA has read rights on the calendar, therefore is a delegate of UserB. As UserA is a Domain Admin with Full Access permissions, he'll be able to send as UserB.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rpmahonyAuthor Commented:
The calendar read permission was set using PowerShell, granting everyone read-only access to everyone else's calendar.  Not exactly a delegation, but would that also conform to the above?  What a wacky hierarchy IMO.
rpmahonyAuthor Commented:
Removing UserA from the Domain Admins did indeed deny access to send as or on behalf.  After removing group membership, an attempt to change the From field resulted in Outlook throwing an "Access denied" error.

Thanks for the assist, Guy.  And thanks again EE!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.