How to stop impersonating emails?

We use in-house Exchange 2010.
We recently have received some impersonating emails pretending our CEO as the sender. The emails were sent to our Accounting Account Payable, Controller, etc asking to send money to some address or bank account. The emails are just with a perfect format including signature, name, greeting, receiving addresses, etc., which make them nearly authenticate to the recipients. Our CEO has a great concern that they many contact someone at the office and get valuable information or cash without them knowing it is from an impersonator. Can you tell me how to stop them?
From the header, we can see the real sender's email address, etc. What can we do to stop them?
CastlewoodAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

William FulksSystems Analyst & WebmasterCommented:
This may help: http://www.packetland.net/microsoft/exchange-server/123-how-to-prevent-internal-spam-from-your-own-domain-on-exchange-2010.html

Are the spoofed messages coming from the same sender every time? If so, you may need to contact the local authorities as it may be a targeted attack against your company.

It also helps to train users how to recognize this sort of thing, as it is quite common. Your CEO should also consider updating his password and using something strong and unique with special characters, etc.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
KimputerCommented:
From the header, we can see the real sender's email address, etc.
In essence, it was a bad impersonation. Therefore, teach you departments how to check for these.
If you can't be bothered, then for each user (only in Finance I assume) make a subfolder for the CEO, then have a filter set up to move email from the CEO to that folder. Any fakes probably won't be filtered (depends how good the impersonation is, a few sample headers would be nice), and you can tell the user to ignore CEO messages in the Inbox.
CastlewoodAuthor Commented:
Thank you guys. I issued the following command on that article aiming to remove the subject permission:

Get-ReceiveConnector “Internet ReceiveConnector” | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | Remove-ADPermission

Is there a command to display the permissions this "Anonymous Logon" has so I can verify the subject permission is really removed?
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

jhyieslaCommented:
Something that we do is run all our incoming and outgoing email thru a filtering service called Mimecast. This really helps hold down on the Spam and other email issues that seem to plague everyone today.  One feature that we use is an anti spoofing feature. Since our users can't send email from our domain to our domain thru the Internet, any email that comes to us from the Internet looking like it's from us is a spoofed email and we just nuke them at the filtering service so they never get in. Having said all of that, we do have a couple of services that we subscribe to that use a spoofed email to make it look like informational messages to the users are really coming from someone in our company while they really originate from this other service. So, I have also been able to write a filter bypass for emails coming from these other companies.  It all works pretty well.
KimputerCommented:
I'm not sure what you mean with "subject permission" and what you are trying to achieve exactly. But your command, just fixes open relays, something standard Exchange servers didn't suffer from be default since somewhere after the year 2000. Open relays are used to send out spam, while your problem is about impersonation (or lack of checking the sender, from what I expect now, since you didn't give us exact details yet).
CastlewoodAuthor Commented:
Kimputer,

I just wonder if there is a command to display all permissions for this Anonymous Logon?
KimputerCommented:
It's something default. It just means anyone can drop off email to your server (how else can you receive emails)? That command only made sure it's email meant for your domain and not another one (relay).
This is a default setting, and further investigation into that particular command makes no sense.
CastlewoodAuthor Commented:
Kimputer,

Sorry for being annoying but I just need to make sure the change has been in place. How to verify?
KimputerCommented:
Get-ReceiveConnector “Internet ReceiveConnector” | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} 

Open in new window

should return nothing if the previous command was successful.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Software

From novice to tech pro — start learning today.