Exchange spoofed senders

AaronSSH
AaronSSH used Ask the Experts™
on
I have an exchange server that does not have an open external relay, as tested by mxlookup.com. External unauthenticated users can not send email to people outside of our domain. This is correct.

But what IS happening is that external, unauthenticated users can relay to internal users IF they spoof their FROM address and claim to be from any user within our domain. And so we are getting a lot of spam / phishing because of it. How do I disable this?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
timgreen7077Exchange Engineer
Distinguished Expert 2018

Commented:
Unfortunately you can't stop someone from spoofing your email domain. The best thing to do is be sure to setup an SPF record so that it will instruct servers that if someone sends an email as your domain but it's not coming from one of your sending servers they can reject the email. that will also assist in keeping your domain off of blacklists. You can test your SPF record at:

http://www.kitterman.com/spf/validate.html
Top Expert 2015

Commented:
"Unfortunately you can't stop someone from spoofing your email domain." - agree with Tim

If you have a good anti-spam it will catch most of them but it will never be 100%.  What kind of anti-spam do you have in place?
AmitIT Architect
Distinguished Expert 2017

Commented:
This is what i recommend to my maximum clients.

1) Disable forwarding, Out of office, auto response setting from org level. Once you disable these setting, if anyone try to send spoof mail to your domain, they won't get any response. That helps to protect lot of spoofing. I know, your user might not agree, but that's is my first recommendation.

2) Good Cloud and On premises Anti spam solution. Yes, you need both. 90% will get filter at cloud level, rest you need to filter in on-premises Anti spam server. Cloud, you can look for proofpoint, messagelab or EOP. On-prem, Trend, Brightmail

3) Use Product like voltage(encryption) to send message outside, that make sure no one can hack your message during transit.

4) Use DLP solution.

5) Educate users, not to use company mail account for personal use. This is 99% cause for spam mails.

6) Make sure your SPF records are setup correctly. More to read:
https://support.knowbe4.com/hc/en-us/articles/212679977-Domain-Spoof-Prevention-in-Exchange-2013-2016-Office-365
https://technet.microsoft.com/en-us/library/dn789058(v=exchg.150).aspx

Let me know, if you need more info.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

System Administrator / Postmaster
Commented:
Note that
1) authenticated users should be allowed to use an internal domain to send to internal users
2) unauthenticaed users should not
External senders use plain smtp toward your mx and specify an arbitratrary from address. Postfix allowed for easy protection from this kind of spoofing

You basicaly have to change permissions as described here:
https://social.technet.microsoft.com/Forums/lync/en-US/229b4cc3-edd8-424a-9dd4-66dde61efd79/receiving-mails-from-external-with-our-internal-address?forum=FSENext

If you do not use third party services to send emails as coming from your domain toward your internal users you don't need to implement the second connector as described in the post above.


That said, if doable go the SPF way as other experts recommended.
Dr. KlahnPrincipal Software Engineer

Commented:
But what IS happening is that external, unauthenticated users can relay to internal users IF they spoof their FROM address and claim to be from any user within our domain.

Brute-force solution:  Disallow sends originating from IP addresses outside your LAN.

Otherwise, as Michelangelo says, require sends to undergo secure authentication on the not-port-25 submissions port.

Setting an SPF record is a very good thing to do, but imo it will not significantly help this particular problem.  At this point few sites so much as check it, and very few enforce it.
MichelangeloSystem Administrator / Postmaster

Commented:
Dr. Khan: in this case, you cannit disable receiving emails as these are sent through OP domain  MXes (OP checked and hasn’t git an open relay).
About SPF : correct BUT in this case is the very OP that would be checking if sender IP is allowed to send in behalf of OP own domain. Using a policy of -all in the SPF record would alliw to reject such spoofed emails

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial