Exchange 2010 - SPAM using organization internal addresses

Christian KAZADI
Christian KAZADI used Ask the Experts™
on
Hi,

Since a few days, we’re receiving SPAM with our own internal email addresses;
I guess the spammers are using an Exchange configuration which allow to send mail with internal users without authentication (MAIL FROM : user@myorg.com).

My question is quite simple: is there a way to prevent this ?

Do we got to configure that on the receive connectors properties ?
(We actually got 2: one on 25 port, another one on 465 port).

Thanks.
FB
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Check the message header to see if the spam does really come from your own server or just spoofed.
If spoofed, check: HOW TO: Prevent annoying spam from your own domain
If your mail server is hacked, first thing to check is How to block open SMTP relaying, but a system wide security audit would be in order.

Author

Commented:
Thanks for the help, but it doesn't solve my problem.
I made a few test with Telnet, and the result is than everybody is able to send spoofed message to any address IN my organisation.

For example :

MAIL FROM: anyadress@anyexternaldomain.com
RCPT TO : anyadress@otherexternaldomain.com
-> 5.7.1 Unable to relay

MAIL FROM: anyadress@MYorganisation.com
RCPT TO : anyadress@externaldomain.com
-> 5.7.1 Unable to relay

MAIL FROM: anyadress@externaldomain.com
RCPT TO : anyadress@MYorganisation.com
-> 2.6.0 Queued mail for delivery

Any mail sent to an internal user of my organization is delivered, which is as far as I know the default  comportment of SMPT servers...
Is there a way to prevent this ?
(I don't think so, because external senders cannot be authenticated)

I had a look at the spam mail header, it is spoofed : the mail comes from an external mail server, but the "from" field defined in the header is the address of one of my internal users...

I considered the solution given in the HOW-TO, but I don't know what are the consequences, will the users sending from outside of my organization (from cell phones for example) will still be able to send mails ?

Thanks.
Brian BEE Topic Advisor, Independant Technology Professional

Commented:
The message headers in the spam mail should show whether or not the messages are originating from your organization. Chances are they are not.

Most anti-spam programs/firewalls have an anti-relay setting that will reject any messages showing as being from your domain, but not from your email server.

The test for the problem you describe would be like this:
MAIL FROM: anyadress@MYorganisation.com
RCPT TO : anyadress@MYorganisation.com
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Thanks, but I don't agree about the test " not from your email server " => Anybody is able to do a telnet on my mail server.
But I agree, it should be from @Myorg to @Myorg, but it's would be the same result as any mail sent to an internal user is delivered (which is in fact my real problem, for witch I don't think a solutions exists. If you got one  I'm interested).

You're also right about my antispam (McAfee) : it should stop most of the incoming spoofed mails, but for a reason I don't know so far, it didn't stop these ones.

Nevertheless, I tested Georges' solution about removing the right "ms-exch-smtp-accept-authoritative-domain-sender" from anonymous logons, it works and don't seem so far to disturb other connexions.

Thanks !
Brian BEE Topic Advisor, Independant Technology Professional

Commented:
Just to clarify one point, your telnet tests may not be accurate if you are testing from your internal network. You may have to access an outside machine and try the same telnet tests to see how things work in a real world scenario.

If your McAfee running internally or is it a cloud service? If it is outside your network, be sure your firewall is set to only accept SMTP (port 25) from the McAfee server as no legitimate email should be coming from anywhere else.

Author

Commented:
Not agree neither ;-)
Telnet is just a connexion on a specific port, exactly as SMTP does. If the test is done on the external (public) interface of the mail server it doesn't matter if the client is inside or outside the network I think.
It potentially could be different if McAfee run as a cloud service, but it isn't the case (I'm located in Central Africa and bandwidth doesn't allow the use of cloud services)

Finally, regarding the Firewall, 25 isn't enough ! It is configured to accept both 25 AND 465 ports (but this last one doesn't allow anonymous connexion, therefore no security issue with spoofed spam).

Thanks for your help  !

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial