Exchange 2010 - Spoofing of Internal Email Address Inbound (Accepted Domains)

I have been battling with trying to mitigate inbound phishing emails to our staff. The email FROM header address is that of valid staff to other staff requesting information with a REPLY-TO the fraudster.

I have previously stopped these by enabling SENDER ID rejections on the Exchange 2010 Edge servers.

Unfortunately this prevents valid emails coming in from the internet where organisations neglect to add their SMTP servers to SPF records.

Is there a way to specifically block these emails for our Accepted Domains? Our own SPF records cover all SMTP servers internally and EDM.


Thank you.
Ivan KeleherAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

IvanSystem EngineerCommented:
Hi,

have you seen this setup..

http://exchangepedia.com/2008/09/how-to-prevent-annoying-spam-from-your-own-domain.html

Get-ReceiveConnector “Default Frontend <servername>” | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | Remove-ADPermission

Regards,
Ivan.
Jian An LimSolutions ArchitectCommented:
if you follow the above method, then no internet email with your domain will arrive to your systems that could potential block legit email.

I have solved this by using 3rd party cloud services like Mimecast and they have capability to inspect mail from and envelope header, further, they can whitelist the IP address that validate such issues.

by doing others, you probably swapping one problem with anothers.
Senior IT System EngineerSenior Systems EngineerCommented:
Hi,

It means that your email receive connector is opened as a relay:

Run this PowerShell command in Exchange Server management Shell against your default send connector (the one that accepts from public address space):

Get-ReceiveConnector "Your default Receive Connector Name" | Get-ADPermission -Identity "NT AUTHORITY\ANONYMOUS LOGON"

                                         
If that comes back with ExtendedRights including "ms-Exch-SMTP-Accept-Any-Recipient" then you have an open relay. You need to remove this permission using Remove-ADPermission

The below line should be possible to fix your issue:

Get-ReceiveConnector “My Internet Receive Connector Name” | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | Remove-ADPermission



Hope that helps.

Source: http://justworks.ca/blog/exchange-internal-anonymous-relay-the-right-way

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Ivan KeleherAuthor Commented:
Removing ms-exch-smtp-accept-authoritative-domain-sender certainly fixes the situation however we use third-party systems such as MailChimp for marketing emails.

When they are delivered to staff email addresses they are blocked, what would be the best way around this?
Jian An LimSolutions ArchitectCommented:
create a seperate receive connector and assign Ip address for 3rd party system.

Or tell the mailCHimp not to use your internal domain (maybe add @mailchip.<domain>)
Ivan KeleherAuthor Commented:
Jian emails are sent using the MailChimp servers obviously and those emails are delivered to MX servers.
Jian An LimSolutions ArchitectCommented:
the receive connector will apply only if mailchimp attempt to send using your own domain email address as a FROM.

and mailchimp will also have a range of static IP address that it send from.

you can create a seperate receive connector like defaut connect but assign IP address for it
you basically just whitelist them so they can send as your own domain to yourself.


http://mailchimp.com/about/ips/
Ivan KeleherAuthor Commented:
Not helpful Jian, anyone else?
Jian An LimSolutions ArchitectCommented:
why not? since your public receive connector are receiving internet email address and exchange server is directly on MX..
Anyway, I leave it to others to chip in their thoughts.
Ivan KeleherAuthor Commented:
Your solution is not clear enough. Little effort has been put into explaining each step.
Jian An LimSolutions ArchitectCommented:
okay. that's better.

so you have run the above script

Get-ReceiveConnector “Default Frontend <servername>” | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | Remove-ADPermission


SO now, your default frontend connector will not accept the email from Mailchimp
in order to fix this
you need to create a new receive connector

$r = Get-ReceiveConnector “Default Frontend <servername>”

New-ReceiveConnector "mailchimp services" -Server $r.server -AuthMechanism "Tls, Integrated, BasicAuth,BasicAuthRequireTLS, ExchangeServer" -PermissionGroups "AnonymousUsers, ExchangeServers, ExchangeLegacyServers" -RemoteIPRanges "205.201.128.0/20","198.2.128.0/18" -Bindings $r.Bindings

This will allows the server to take mailchimp services.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.