Is your Exchange Server relaying spam? How to Prevent annoying spam coming from your own domain

Overview:
One of the more annoying types of spam is the one that seems to be coming from your own domain; or worse— from your own email address! Of course, users from your own domain don’t generally spam each other— unless you’re using one of the free web-based email services. And most of us don’t spam ourselves.
Obviously, this is coming from a spammer who has spoofed your email address, or that of someone else from your domain. Unfortunately, the protocol that allows mail clients and servers to exchange email, allows headers to be spoofed easily.
Example of spam message;
Here is an example of spam invasion with blank sender id and unknown source ip address.
Identity: ExchangeServer\457246\2113836
Subject: Undeliverable: Puerto Rico employment law essentials
Internet Message ID: <fd3fc050-6cb4-4d7e-8f37-decd7f191d54>
From Address: <>
Status: Ready
Size (KB): 23
Message Source Name: DSN
Source IP: 255.255.255.255
SCL: -1
Date Received: 7/27/2011 8:19:23 AM
Expiration Time: 7/29/2011 8:19:23 AM
Last Error: 400 4.4.7 Message delayed
Queue ID: server-ex\457246
Recipients: bounce-219841-1586557@list3.randomdomain.com


1. First you need to find out whether the Exchange Server is an open SMTP relay.

"An open mail relay is an SMTP server configured in such a way that it allows anyone on the Internet to send e-mail through it, not just mail destined to or originating from known users. Such servers are usually targets for spam senders."

Note: For how to determine if your Exchange Server is an Open relay see the following link

If you have an open mail relay, I suggest you remove permission to bypass the sender address spoofing check by running:

Get-ReceiveConnector "name of the internet receive connector" | Get-ADPermission -user "NT AUTHORITY\Anonymous Logon" | where {$_.ExtendedRights -like "ms-exch-smtp-accept-authoritative-domain-sender"} | Remove-ADPermission

To block the "Blank Sender" as you can see in the above snapshot do the following;

Set-SenderFilterConfig -BlankSenderBlockingEnabled $ true

If someone out of your domain pretend to send email as your own domain users, to prevent it, please use the following command to remove ms-Exch-SMTP-Accept-Any-Sender for anonymous users with:

Get-ReceiveConnector "name of the internet receive connector" | Get-ADPermission -user "NT AUTHORITY\Anonymous Logon" | where {$_.ExtendedRights -like "ms-Exch-SMTP-Accept-Any-Sender"} | Remove-ADPermission


*Make sure to restart transport service after those operations


If the above mentioned method doesn't work then try the following;

1- Get-RecipientFilterConfig | Format-List Enabled

2- Set-RecipientFilterConfig -BlockListEnabled $true

3- Get-RecipientFilterConfig | Format-List BlockListEnabled

4- Set-RecipientFilterConfig -RecipientValidationEnabled $true

5- Get-RecipientFilterConfig | Format-List RecipientValidationEnabled

6- Set-SenderReputationConfig -Enabled $true

7- Get-senderreputationconfig | fl *mail*

8- set-senderreputationconfig  -InternalMailEnabled $true

9- Get-senderreputationconfig | fl *mail*

Moreover you can use Wireshark to Monitor your SMTP traffic closely to find out the infected clients.

Try these filters:

tcp.port==25

smtp.data.fragment.count > 0 and not (imf.address contains "yourcompany.com")



Hope you will find this helpful.

Comments

Post a Comment

Popular posts from this blog

Troubleshooting IMAP Connectivity: Unable to authenticate to IMAP server. IMAP command failed: Login failed.

Image
The first step is to check if the  Courier  IMAP server is accepting connections. Open a terminal window and type: telnet hostname 143 Replace  hostname  with the  IMAP  server's  DNS  name. This expected results would look like this: $ telnet imap.example.com 143 If you get the error "no login failed" then you need to check the following; 1. Make sure IMAP Service is running. 2.  You should make sure that you are using the correct password and that the mail username is in the format: 3. Make sure there is correct name in your exchange server certificate. Please check your certificate settings: Get-ExchangeCertificate | fl I noticed that the InternalConnectionSettings is pointed to Test2.contoso.com but the X509CertificateName is using Remote.domain.com. If there is a certificate with Test2.contoso.com, please change the X509CertificateName to it to have a try: Set-IMAPSettings -Identity Test2\1  -X509CertificateName Test2.contoso.com T...
Read more

How to prevent sending external e-mail, but allow internal e-mail in Microsoft Exchange Server.

Image
Sometime may be you have internal & external domains configured in your organization and you don't want allow internal users to send emails outside the organization or to the public domains. You can achieve this using Microsoft Exchange Transport rules. Suppose you have all internal users in OU name "InternalMail" create a distribution group in the OU and add all internal users as member. Open up Exchange admin console " https://yourexchangeserver/ecp " and navigate to "mail flow" -> "Rules" Click the + button -> " Restrict messages by sender or recipient " In this example " extblk " is a distribution group. Added two conditions first is " the recipient is located " second is " the sender is a member of " Review the Rule mode is set to "Enforce" and leave other settings default and save the rule. You are done !
Read more

Legacy Windows XP clients must match the Certificate Common Name in Outlook for (RPC over HTTP) Exchange 2013

Image
In this post I am going to discuss these two topics a bit further as this issue will impact many organisations moving to Exchange 2013 for those still running Windows XP (despite the fact it is no longer supported) seeming Exchange 2013 only supports RPC over HTTP or MAPI over HTTP (out of scope for this article). To recap what I wrote about in the previous articles 5 years ago, for RPC over HTTP(s) aka Outlook Anywhere to work on any version of the Outlook Client on the XP, the MSSTD value must match the "Common Name" on the certificate. What am I talking about? Well let me show you... The MSSTD is specified under " Only connect to proxy servers that have this principal name in their certificate " which can be found within Outlook under Account Settings, Open the Account, More Settings, Connection Tab and finally Exchange Proxy Settings. This value must match the "Common Name" of the certificate which in this example is mail.example.com as shown below nex...
Read more