Exchange 2010 - SPAM using organization internal addresses


Since a few days, we’re receiving SPAM with our own internal email addresses;
I guess the spammers are using an Exchange configuration which allow to send mail with internal users without authentication (MAIL FROM :

My question is quite simple: is there a way to prevent this ?

Do we got to configure that on the receive connectors properties ?
(We actually got 2: one on 25 port, another one on 465 port).

Christian KAZADIAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

George KeslerCommented:
Check the message header to see if the spam does really come from your own server or just spoofed.
If spoofed, check: HOW TO: Prevent annoying spam from your own domain
If your mail server is hacked, first thing to check is How to block open SMTP relaying, but a system wide security audit would be in order.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Christian KAZADIAuthor Commented:
Thanks for the help, but it doesn't solve my problem.
I made a few test with Telnet, and the result is than everybody is able to send spoofed message to any address IN my organisation.

For example :

-> 5.7.1 Unable to relay

-> 5.7.1 Unable to relay

-> 2.6.0 Queued mail for delivery

Any mail sent to an internal user of my organization is delivered, which is as far as I know the default  comportment of SMPT servers...
Is there a way to prevent this ?
(I don't think so, because external senders cannot be authenticated)

I had a look at the spam mail header, it is spoofed : the mail comes from an external mail server, but the "from" field defined in the header is the address of one of my internal users...

I considered the solution given in the HOW-TO, but I don't know what are the consequences, will the users sending from outside of my organization (from cell phones for example) will still be able to send mails ?

Brian BEE Topic Advisor, Independant Technology ProfessionalCommented:
The message headers in the spam mail should show whether or not the messages are originating from your organization. Chances are they are not.

Most anti-spam programs/firewalls have an anti-relay setting that will reject any messages showing as being from your domain, but not from your email server.

The test for the problem you describe would be like this:
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Christian KAZADIAuthor Commented:
Thanks, but I don't agree about the test " not from your email server " => Anybody is able to do a telnet on my mail server.
But I agree, it should be from @Myorg to @Myorg, but it's would be the same result as any mail sent to an internal user is delivered (which is in fact my real problem, for witch I don't think a solutions exists. If you got one  I'm interested).

You're also right about my antispam (McAfee) : it should stop most of the incoming spoofed mails, but for a reason I don't know so far, it didn't stop these ones.

Nevertheless, I tested Georges' solution about removing the right "ms-exch-smtp-accept-authoritative-domain-sender" from anonymous logons, it works and don't seem so far to disturb other connexions.

Thanks !
Brian BEE Topic Advisor, Independant Technology ProfessionalCommented:
Just to clarify one point, your telnet tests may not be accurate if you are testing from your internal network. You may have to access an outside machine and try the same telnet tests to see how things work in a real world scenario.

If your McAfee running internally or is it a cloud service? If it is outside your network, be sure your firewall is set to only accept SMTP (port 25) from the McAfee server as no legitimate email should be coming from anywhere else.
Christian KAZADIAuthor Commented:
Not agree neither ;-)
Telnet is just a connexion on a specific port, exactly as SMTP does. If the test is done on the external (public) interface of the mail server it doesn't matter if the client is inside or outside the network I think.
It potentially could be different if McAfee run as a cloud service, but it isn't the case (I'm located in Central Africa and bandwidth doesn't allow the use of cloud services)

Finally, regarding the Firewall, 25 isn't enough ! It is configured to accept both 25 AND 465 ports (but this last one doesn't allow anonymous connexion, therefore no security issue with spoofed spam).

Thanks for your help  !
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.