Exchange spoofed senders

I have an exchange server that does not have an open external relay, as tested by mxlookup.com. External unauthenticated users can not send email to people outside of our domain. This is correct.

But what IS happening is that external, unauthenticated users can relay to internal users IF they spoof their FROM address and claim to be from any user within our domain. And so we are getting a lot of spam / phishing because of it. How do I disable this?
LVL 1
AaronSSHIT ConsultantAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

timgreen7077Exchange EngineerCommented:
Unfortunately you can't stop someone from spoofing your email domain. The best thing to do is be sure to setup an SPF record so that it will instruct servers that if someone sends an email as your domain but it's not coming from one of your sending servers they can reject the email. that will also assist in keeping your domain off of blacklists. You can test your SPF record at:

http://www.kitterman.com/spf/validate.html
0
Wayne88Commented:
"Unfortunately you can't stop someone from spoofing your email domain." - agree with Tim

If you have a good anti-spam it will catch most of them but it will never be 100%.  What kind of anti-spam do you have in place?
0
AmitIT ArchitectCommented:
This is what i recommend to my maximum clients.

1) Disable forwarding, Out of office, auto response setting from org level. Once you disable these setting, if anyone try to send spoof mail to your domain, they won't get any response. That helps to protect lot of spoofing. I know, your user might not agree, but that's is my first recommendation.

2) Good Cloud and On premises Anti spam solution. Yes, you need both. 90% will get filter at cloud level, rest you need to filter in on-premises Anti spam server. Cloud, you can look for proofpoint, messagelab or EOP. On-prem, Trend, Brightmail

3) Use Product like voltage(encryption) to send message outside, that make sure no one can hack your message during transit.

4) Use DLP solution.

5) Educate users, not to use company mail account for personal use. This is 99% cause for spam mails.

6) Make sure your SPF records are setup correctly. More to read:
https://support.knowbe4.com/hc/en-us/articles/212679977-Domain-Spoof-Prevention-in-Exchange-2013-2016-Office-365
https://technet.microsoft.com/en-us/library/dn789058(v=exchg.150).aspx

Let me know, if you need more info.
1
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

MichelangeloSystem Administrator / PostmasterCommented:
Note that
1) authenticated users should be allowed to use an internal domain to send to internal users
2) unauthenticaed users should not
External senders use plain smtp toward your mx and specify an arbitratrary from address. Postfix allowed for easy protection from this kind of spoofing

You basicaly have to change permissions as described here:
https://social.technet.microsoft.com/Forums/lync/en-US/229b4cc3-edd8-424a-9dd4-66dde61efd79/receiving-mails-from-external-with-our-internal-address?forum=FSENext

If you do not use third party services to send emails as coming from your domain toward your internal users you don't need to implement the second connector as described in the post above.


That said, if doable go the SPF way as other experts recommended.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dr. KlahnPrincipal Software EngineerCommented:
But what IS happening is that external, unauthenticated users can relay to internal users IF they spoof their FROM address and claim to be from any user within our domain.

Brute-force solution:  Disallow sends originating from IP addresses outside your LAN.

Otherwise, as Michelangelo says, require sends to undergo secure authentication on the not-port-25 submissions port.

Setting an SPF record is a very good thing to do, but imo it will not significantly help this particular problem.  At this point few sites so much as check it, and very few enforce it.
0
MichelangeloSystem Administrator / PostmasterCommented:
Dr. Khan: in this case, you cannit disable receiving emails as these are sent through OP domain  MXes (OP checked and hasn’t git an open relay).
About SPF : correct BUT in this case is the very OP that would be checking if sender IP is allowed to send in behalf of OP own domain. Using a policy of -all in the SPF record would alliw to reject such spoofed emails
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.