AaronSSH
asked on
Exchange spoofed senders
I have an exchange server that does not have an open external relay, as tested by mxlookup.com. External unauthenticated users can not send email to people outside of our domain. This is correct.
But what IS happening is that external, unauthenticated users can relay to internal users IF they spoof their FROM address and claim to be from any user within our domain. And so we are getting a lot of spam / phishing because of it. How do I disable this?
But what IS happening is that external, unauthenticated users can relay to internal users IF they spoof their FROM address and claim to be from any user within our domain. And so we are getting a lot of spam / phishing because of it. How do I disable this?
"Unfortunately you can't stop someone from spoofing your email domain." - agree with Tim
If you have a good anti-spam it will catch most of them but it will never be 100%. What kind of anti-spam do you have in place?
If you have a good anti-spam it will catch most of them but it will never be 100%. What kind of anti-spam do you have in place?
This is what i recommend to my maximum clients.
1) Disable forwarding, Out of office, auto response setting from org level. Once you disable these setting, if anyone try to send spoof mail to your domain, they won't get any response. That helps to protect lot of spoofing. I know, your user might not agree, but that's is my first recommendation.
2) Good Cloud and On premises Anti spam solution. Yes, you need both. 90% will get filter at cloud level, rest you need to filter in on-premises Anti spam server. Cloud, you can look for proofpoint, messagelab or EOP. On-prem, Trend, Brightmail
3) Use Product like voltage(encryption) to send message outside, that make sure no one can hack your message during transit.
4) Use DLP solution.
5) Educate users, not to use company mail account for personal use. This is 99% cause for spam mails.
6) Make sure your SPF records are setup correctly. More to read:
https://support.knowbe4.com/hc/en-us/articles/212679977-Domain-Spoof-Prevention-in-Exchange-2013-2016-Office-365
https://technet.microsoft.com/en-us/library/dn789058(v=exchg.150).aspx
Let me know, if you need more info.
1) Disable forwarding, Out of office, auto response setting from org level. Once you disable these setting, if anyone try to send spoof mail to your domain, they won't get any response. That helps to protect lot of spoofing. I know, your user might not agree, but that's is my first recommendation.
2) Good Cloud and On premises Anti spam solution. Yes, you need both. 90% will get filter at cloud level, rest you need to filter in on-premises Anti spam server. Cloud, you can look for proofpoint, messagelab or EOP. On-prem, Trend, Brightmail
3) Use Product like voltage(encryption) to send message outside, that make sure no one can hack your message during transit.
4) Use DLP solution.
5) Educate users, not to use company mail account for personal use. This is 99% cause for spam mails.
6) Make sure your SPF records are setup correctly. More to read:
https://support.knowbe4.com/hc/en-us/articles/212679977-Domain-Spoof-Prevention-in-Exchange-2013-2016-Office-365
https://technet.microsoft.com/en-us/library/dn789058(v=exchg.150).aspx
Let me know, if you need more info.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
But what IS happening is that external, unauthenticated users can relay to internal users IF they spoof their FROM address and claim to be from any user within our domain.
Brute-force solution: Disallow sends originating from IP addresses outside your LAN.
Otherwise, as Michelangelo says, require sends to undergo secure authentication on the not-port-25 submissions port.
Setting an SPF record is a very good thing to do, but imo it will not significantly help this particular problem. At this point few sites so much as check it, and very few enforce it.
Brute-force solution: Disallow sends originating from IP addresses outside your LAN.
Otherwise, as Michelangelo says, require sends to undergo secure authentication on the not-port-25 submissions port.
Setting an SPF record is a very good thing to do, but imo it will not significantly help this particular problem. At this point few sites so much as check it, and very few enforce it.
Dr. Khan: in this case, you cannot disable receiving emails as these are sent through OP domain MXes (OP checked and hasn’t got an open relay).
About SPF : correct BUT in this case is the very OP that would be checking if sender IP is allowed to send on behalf of OP own domain. Using a policy of -all in the SPF record would allow to reject such spoofed emails
About SPF : correct BUT in this case is the very OP that would be checking if sender IP is allowed to send on behalf of OP own domain. Using a policy of -all in the SPF record would allow to reject such spoofed emails
http://www.kitterman.com/spf/validate.html