Prevent Exchange Spoofing

Hi Experts,

We have an issue i hope you can help with
We presently use exchange 2010. However we have noticed an issue with us occasionally being blacklisted
Upon investigation, we found that the cause of this issue was that some users, during the course of their work, were testing sending emails and using the exchange server as an smtp relay

The problem with this however, it that in their wisdom, they are using made up domains to send from, hence the black list

Is there any way to stop this and ensure that if they do send test smtp emails, they are only allowed if it is from our domain?
LVL 4
James GlenIT EngineerAsked:
Who is Participating?
 
Todd NelsonSystems EngineerCommented:
First of all, it sounds as if you created an issue for yourself by modifying the default receive connectors.  Because by default, the receive connectors are not configured for open relay.  Use this as a reference ... https://oddytee.wordpress.com/2016/01/12/exchange-2010-default-receive-connector-settings/

Second, like Gaurav stated, create a "relay" receive connector with only the IP addresses that need to send legitimate SMTP notifications.  Use this reference ... https://practical365.com/exchange-server/how-to-configure-a-relay-connector-for-exchange-server-2010/
1
 
Gaurav SinghSolution ArchitectCommented:
why dont u create a relay connector and allow required IPs from connector to allow emails ...
1
 
Dr. KlahnPrincipal Software EngineerCommented:
Is there any way to stop this

Sure, it's quite easy.  Send out a memo along these lines:

"Tampering with the functionality of the corporate computer network puts not only the network at risk, but the company itself.  This includes attaching unauthorized devices, sharing passwords, using systems you are not authorized to use, and the last specifically includes the recent unauthorized use of the web server and mail transfer systems.

"Starting today, employees will get one warning and it will go into their permanent record.  Those warned will be required to sign a memorandum stating that they understand the rules and will not offend again.  A second offense will result in immediate termination.  This applies to everyone in the company no matter what level of employment - management, salaried or hourly.  The policy will be enforced by Security, not IT."

Then get a rent-a-dummy from one of the security agencies who specialize in such things, hire them on for a month or two, then "catch them in the act" and fire them publicly.  Word gets around and everyone else will fall into line right quick.
0
 
Todd NelsonSystems EngineerCommented:
Send out a memo

I get what you are driving at.  However, it's easier said than done as it cannot come from IT without the authority of management.  FSIFM should really work to the backing of the C-levels before doing anything of this nature.  I find that most of the times, they will be compliant, but it is not always the case.  We had several C-levels, at a previous company, that really enjoyed their porn and refused to implement any web filtering because thy did not want their actions documented or scrutinized.  They were above the law, if you will.  Kind of like sending out a memo would appear to be.
0
 
James GlenIT EngineerAuthor Commented:
Cheers guys, that hit the nail on the head and i was able to lock it down
Thanks for the articles :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.