Exchange
--
Questions
--
Followers
Top Experts
Stop spoofers from sending out spam-like emails
Experts,
Background
I have a user, in the accounting office, whose email account has been spoofed by a hacker. Â The email account is sending out spam emails. Â Some of these sent-out spam emails have gotten serious in nature (ex: telling a vendor that I charged a credit card for their payment). Â The issue has gotten out of hand. Â Of course, the user is not sending out these emails. Â In my research, I have read that these email spoofers usually move on quickly and the spam emails stop; however, in this case, the spoofers are still at, going on 3 weeks now. Â I had the user change their password; however, that didn't stop the spoofers. Â In one research I did, it said to delete all of the contacts in their outlook (with no outlook contacts the spoofers have no one to send spam-like email to); however, I don't know if the user wants to do that because then all of their contacts would be gone.
Actions taken
So, what I did was create a new AD account logon for the user and an accompanied new email address. Â I moved all of the user's files over and exported/imported email from their old email address to their new email address. Â The user was back up and running within an hour with their new AD account and new email address. Â I went into the exchange server and setup forwarding from their old email address to their new email address. Â The user also added a note at the bottom of their new email address signature alerting all customers/vendors that their email address changed. Â So far, so good, everything is working great.
Help needed explained
Now, here is my question/problem, how can I configured outlook or exchange to only send outgoing emails specifically to the user's new email address only.  My thought process is this ... if I disable the user's old email address in exchange, then that will solve my problem with spoofers sending out spam-like emails - however, the disabled user's old email address will not forward emails to the user's new email address  --and/or--  if I leave the user's old email address up and running, the old email address will forward emails to the user's new email address, but the spoofers will still send out emails under the user's old email address, because in essence nothing has changed; so ...
... is there a way I can configure the user's old outlook/exchange email address to send outgoing emails specifically to the user's new email address only. Â In sending outgoing emails to the user's new email address only, the user will still get their forwarded email from their old email address and the spoofers will not be sending out spam-like emails to our vendors/customers.
Assumption
I am assuming that forwarded emails act the same as send emails.
Vitals
Exchange server is 2010 and Outlook client is 2013. Â The user's desktop PC has Symantec Endpoint Protection installed and their PC has no viruses.
Conclusion
Any suggestion you can give me will be appreciated. Â Maybe I am not seeing something that one you experts can enlighten me on.
Thanks,
sla0610
Background
I have a user, in the accounting office, whose email account has been spoofed by a hacker. Â The email account is sending out spam emails. Â Some of these sent-out spam emails have gotten serious in nature (ex: telling a vendor that I charged a credit card for their payment). Â The issue has gotten out of hand. Â Of course, the user is not sending out these emails. Â In my research, I have read that these email spoofers usually move on quickly and the spam emails stop; however, in this case, the spoofers are still at, going on 3 weeks now. Â I had the user change their password; however, that didn't stop the spoofers. Â In one research I did, it said to delete all of the contacts in their outlook (with no outlook contacts the spoofers have no one to send spam-like email to); however, I don't know if the user wants to do that because then all of their contacts would be gone.
Actions taken
So, what I did was create a new AD account logon for the user and an accompanied new email address. Â I moved all of the user's files over and exported/imported email from their old email address to their new email address. Â The user was back up and running within an hour with their new AD account and new email address. Â I went into the exchange server and setup forwarding from their old email address to their new email address. Â The user also added a note at the bottom of their new email address signature alerting all customers/vendors that their email address changed. Â So far, so good, everything is working great.
Help needed explained
Now, here is my question/problem, how can I configured outlook or exchange to only send outgoing emails specifically to the user's new email address only.  My thought process is this ... if I disable the user's old email address in exchange, then that will solve my problem with spoofers sending out spam-like emails - however, the disabled user's old email address will not forward emails to the user's new email address  --and/or--  if I leave the user's old email address up and running, the old email address will forward emails to the user's new email address, but the spoofers will still send out emails under the user's old email address, because in essence nothing has changed; so ...
... is there a way I can configure the user's old outlook/exchange email address to send outgoing emails specifically to the user's new email address only. Â In sending outgoing emails to the user's new email address only, the user will still get their forwarded email from their old email address and the spoofers will not be sending out spam-like emails to our vendors/customers.
Assumption
I am assuming that forwarded emails act the same as send emails.
Vitals
Exchange server is 2010 and Outlook client is 2013. Â The user's desktop PC has Symantec Endpoint Protection installed and their PC has no viruses.
Conclusion
Any suggestion you can give me will be appreciated. Â Maybe I am not seeing something that one you experts can enlighten me on.
Thanks,
sla0610
Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
your problem is to stop fishing / spam spoofing attempts from your end
If your email address is known to spammer, definitely he can send out mailsd by keeping you email address in "from" filed
U need SPF + DMARC Â OR SPF+ DKIM + DMARC properly setup in place so that recipient email servers can block spammers emails and even reject it before it arrives to recipient mailbox
https://www.experts-exchange.com/questions/29134254/Spf-Dkim-Dmarc.html
If your email address is known to spammer, definitely he can send out mailsd by keeping you email address in "from" filed
U need SPF + DMARC Â OR SPF+ DKIM + DMARC properly setup in place so that recipient email servers can block spammers emails and even reject it before it arrives to recipient mailbox
https://www.experts-exchange.com/questions/29134254/Spf-Dkim-Dmarc.html
if I disable the user's old email address in exchange, then that will solve my problem with spoofers sending out spam-like emails
Regrettably this is not the case because the spoofed emails are not emanating from your network. Â Giving your user a new email address only aggravates the problem; now your clients don't know what to believe and what to disbelieve. Â In this situation if I was on the receiving end of an email I'd never believe "I have a new email account and you should ignore anything from elsewhere." Â ... not without personally confirming it, at least (see below).
Putting up SPF would solve the problem if, and that is one enormous if, all receiving MTAs would all respect it strictly. Â Alas, many of them ignore it and the ones that do check it usually don't enforce it; they just pass through email with incorrect SPF, perhaps flagging it with "Questionable SPF" somewhere in the headers -- a cryptic bit of technolingo which means nothing to most email users.
And in any case you don't have control over your clients' receiving MTAs, so no amount of SPF, DKIM or DMARC will solve the problem everywhere.
IMO the best policy is to call all these clients on the telephone, and ask them to call your Security department so that they know they are talking to you and not an Indian call center halfway around the world. Â Have Security tell them you are encountering problems with spoofed emails, ignore all "billings" that are not paper mailed to them on company letterhead, and that they should feel free to call by telephone and confirm messages.
It would be best to set this policy now and make it official, because this won't be the last time this problem occurs.
Regrettably this is not the case because the spoofed emails are not emanating from your network. Â Giving your user a new email address only aggravates the problem; now your clients don't know what to believe and what to disbelieve. Â In this situation if I was on the receiving end of an email I'd never believe "I have a new email account and you should ignore anything from elsewhere." Â ... not without personally confirming it, at least (see below).
Putting up SPF would solve the problem if, and that is one enormous if, all receiving MTAs would all respect it strictly. Â Alas, many of them ignore it and the ones that do check it usually don't enforce it; they just pass through email with incorrect SPF, perhaps flagging it with "Questionable SPF" somewhere in the headers -- a cryptic bit of technolingo which means nothing to most email users.
And in any case you don't have control over your clients' receiving MTAs, so no amount of SPF, DKIM or DMARC will solve the problem everywhere.
IMO the best policy is to call all these clients on the telephone, and ask them to call your Security department so that they know they are talking to you and not an Indian call center halfway around the world. Â Have Security tell them you are encountering problems with spoofed emails, ignore all "billings" that are not paper mailed to them on company letterhead, and that they should feel free to call by telephone and confirm messages.
It would be best to set this policy now and make it official, because this won't be the last time this problem occurs.
In addition to the Record Settings above, implement a top notch spam filter on top of what you have. This stops most of the phishing and spoofing spams.
So I get a valid email from name@domain.com just fine, but spoofed emails from name@domain.com land in the spam quarantine as they should.
The only one I have seen in months and months was from a client where the ISP's DNS server was compromised. The ISP fixed their DNS, and we restart all the network gear at the client. No issues since. We cannot do much about compromised DNS servers, but that is also a rare occurrence.
So I get a valid email from name@domain.com just fine, but spoofed emails from name@domain.com land in the spam quarantine as they should.
The only one I have seen in months and months was from a client where the ISP's DNS server was compromised. The ISP fixed their DNS, and we restart all the network gear at the client. No issues since. We cannot do much about compromised DNS servers, but that is also a rare occurrence.
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
Having a "top notch spam filter" on your end will not do anything to help alleviate the situation, since these emails originate outside of your network. Â It is up to the party that receives the spam to do the corrective action.
It is up to the party that receives the spam to do the corrective action. Â
I agree. But anyone trying to stop spam at their end needs a good spam filter.
I agree. But anyone trying to stop spam at their end needs a good spam filter.
Here's how this works... expanding on Mahesh's comment.
1) Setup an SPF record for your domain.
2) Setup a DKIM record for your domain.
3) Ensure your DKIM signing is working.
Tip: This is simple. Send a message to a Gmail account. Select More -> Original Message -> Check DKIM pass/fail status.
4) Setup a DMARC report only record to track correctness of #1-#3 with various Mailbox Providers.
Note: Just because you setup all this correctly, it's 100% up to each Mailbox Provider how they enforce the policies you've setup.
Fixing this type of problem is complex + tend to require a good bit of time/money to resolve.
Best bet is to setup the above records + once you're DMARC reports only show spoofers sending email for you domain, then raise mode from report only (none) to strict (block email acceptance).
1) Setup an SPF record for your domain.
2) Setup a DKIM record for your domain.
3) Ensure your DKIM signing is working.
Tip: This is simple. Send a message to a Gmail account. Select More -> Original Message -> Check DKIM pass/fail status.
4) Setup a DMARC report only record to track correctness of #1-#3 with various Mailbox Providers.
Note: Just because you setup all this correctly, it's 100% up to each Mailbox Provider how they enforce the policies you've setup.
Fixing this type of problem is complex + tend to require a good bit of time/money to resolve.
Best bet is to setup the above records + once you're DMARC reports only show spoofers sending email for you domain, then raise mode from report only (none) to strict (block email acceptance).
Get a FREE t-shirt when you ask your first question.
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
Gentlemen,
Thank you all for your responses.  I will take each response to heart and act on it.  I do have a top notch spam filter in place for incoming mail.  I will look into setting up the SPF record and the DKIM record for our domain, and the DMARC record  -and-  ensure that the DKIM signing is working.
Each of your answers have put me on the right path to getting this issue solved.
Thank you,
sla0610
Thank you all for your responses.  I will take each response to heart and act on it.  I do have a top notch spam filter in place for incoming mail.  I will look into setting up the SPF record and the DKIM record for our domain, and the DMARC record  -and-  ensure that the DKIM signing is working.
Each of your answers have put me on the right path to getting this issue solved.
Thank you,
sla0610
ASKER CERTIFIED SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
Closing my question.
Exchange
--
Questions
--
Followers
Top Experts
Exchange is the server side of a collaborative application product that is part of the Microsoft Server infrastructure. Exchange's major features include email, calendaring, contacts and tasks, support for mobile and web-based access to information, and support for data storage.