Exchange 2010 - Spoofing of Internal Email Address Inbound (Accepted Domains)

Ivan Keleher
Ivan Keleher used Ask the Experts™
on
I have been battling with trying to mitigate inbound phishing emails to our staff. The email FROM header address is that of valid staff to other staff requesting information with a REPLY-TO the fraudster.

I have previously stopped these by enabling SENDER ID rejections on the Exchange 2010 Edge servers.

Unfortunately this prevents valid emails coming in from the internet where organisations neglect to add their SMTP servers to SPF records.

Is there a way to specifically block these emails for our Accepted Domains? Our own SPF records cover all SMTP servers internally and EDM.


Thank you.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
IvanSystem Engineer
Commented:
Hi,

have you seen this setup..

http://exchangepedia.com/2008/09/how-to-prevent-annoying-spam-from-your-own-domain.html

Get-ReceiveConnector “Default Frontend <servername>” | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | Remove-ADPermission

Regards,
Ivan.
Jian An LimSolutions Architect
Top Expert 2016

Commented:
if you follow the above method, then no internet email with your domain will arrive to your systems that could potential block legit email.

I have solved this by using 3rd party cloud services like Mimecast and they have capability to inspect mail from and envelope header, further, they can whitelist the IP address that validate such issues.

by doing others, you probably swapping one problem with anothers.
Commented:
Hi,

It means that your email receive connector is opened as a relay:

Run this PowerShell command in Exchange Server management Shell against your default send connector (the one that accepts from public address space):

Get-ReceiveConnector "Your default Receive Connector Name" | Get-ADPermission -Identity "NT AUTHORITY\ANONYMOUS LOGON"

                                         
If that comes back with ExtendedRights including "ms-Exch-SMTP-Accept-Any-Recipient" then you have an open relay. You need to remove this permission using Remove-ADPermission

The below line should be possible to fix your issue:

Get-ReceiveConnector “My Internet Receive Connector Name” | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | Remove-ADPermission



Hope that helps.

Source: http://justworks.ca/blog/exchange-internal-anonymous-relay-the-right-way
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Removing ms-exch-smtp-accept-authoritative-domain-sender certainly fixes the situation however we use third-party systems such as MailChimp for marketing emails.

When they are delivered to staff email addresses they are blocked, what would be the best way around this?
Jian An LimSolutions Architect
Top Expert 2016
Commented:
create a seperate receive connector and assign Ip address for 3rd party system.

Or tell the mailCHimp not to use your internal domain (maybe add @mailchip.<domain>)

Author

Commented:
Jian emails are sent using the MailChimp servers obviously and those emails are delivered to MX servers.
Jian An LimSolutions Architect
Top Expert 2016
Commented:
the receive connector will apply only if mailchimp attempt to send using your own domain email address as a FROM.

and mailchimp will also have a range of static IP address that it send from.

you can create a seperate receive connector like defaut connect but assign IP address for it
you basically just whitelist them so they can send as your own domain to yourself.


http://mailchimp.com/about/ips/

Author

Commented:
Not helpful Jian, anyone else?
Jian An LimSolutions Architect
Top Expert 2016

Commented:
why not? since your public receive connector are receiving internet email address and exchange server is directly on MX..
Anyway, I leave it to others to chip in their thoughts.

Author

Commented:
Your solution is not clear enough. Little effort has been put into explaining each step.
Jian An LimSolutions Architect
Top Expert 2016
Commented:
okay. that's better.

so you have run the above script

Get-ReceiveConnector “Default Frontend <servername>” | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | Remove-ADPermission


SO now, your default frontend connector will not accept the email from Mailchimp
in order to fix this
you need to create a new receive connector

$r = Get-ReceiveConnector “Default Frontend <servername>”

New-ReceiveConnector "mailchimp services" -Server $r.server -AuthMechanism "Tls, Integrated, BasicAuth,BasicAuthRequireTLS, ExchangeServer" -PermissionGroups "AnonymousUsers, ExchangeServers, ExchangeLegacyServers" -RemoteIPRanges "205.201.128.0/20","198.2.128.0/18" -Bindings $r.Bindings

This will allows the server to take mailchimp services.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial