Exchangepedia Blog is read by visitors from all 50 US States and 150 countries world-wide
One of the more annoying types of spam is the one that seems to be coming from your own domain; or worse— from your own email address! Of course, users from your own domain don't generally spam each other— unless you're using one of the free web-based email services. And most of us don't spam ourselves.Obviously, this is coming from a spammer who has spoofed your email address, or that of someone else from your domain. Unfortunately, SMTP— the protocol that allows mail clients and servers to exchange email, allows headers to be spoofed easily.
In Exchange Server 2007, Accepted Domains tell Exchange which domains to accept email for. If a domain - e12labs.com in this example, exists as an Accepted Domain, there is no reason external senders should use that domain in the MAIL or FROM headers.
You may have remote POP3/IMAP4 users who use SMTP to send mail. However, such sessions should be authenticated, and preferably use a separate Receive Connector.
Thanks to the extensive Transport Permissions model in Exchange 2007, we can easily prevent such spam. Receive Connectors have the ms-exch-smtp-accept-authoritative-domain-sender permission which dictates whether an Accepted Domain can be used in the MAIL or FROM headers. External/internet hosts submit mail to your server without authentication, as anonymous senders. To prevent anonymous senders from sending mail using your domain(s), we need to remove the ms-exch-smtp-accept-authoritative-domain-sender permission assigned to them.
Use the following command to remove the ms-exch-smtp-accept-authoritative-domain-sender permission from NT Authority\Anonymous Logon on internet-facing Receive Connector(s):
Get-ReceiveConnector "My Internet ReceiveConnector" | Get-ADPermission -user "NT AUTHORITY\Anonymous Logon" | where {$_.ExtendedRights -like "ms-exch-smtp-accept-authoritative-domain-sender"} | Remove-ADPermission
Once this permission is removed, when anonymous senders try to submit mail using your Accepted Domain(s), here's how the SMTP conversation goes:220 E12Postcard.e12labs.com Microsoft ESMTP MAIL Service ready at Wed, 3 Sep 2008 06:22:43 -0700
helo
250 E12Postcard.e12labs.com Hello [172.31.0.170]
mail from:jadams@e12labs.com
550 5.7.1 Client does not have permissions to send as this sender
mail from:someone@someotherdomain.com
250 2.1.0 Sender OK
rcpt to:jadams@e12labs.com
250 2.1.5 Recipient OK
data
354 Start mail input; end with
from:jadams@e12labs.com
subject: Header spoofing
This is how we spoof headers, spoof headers.
.
550 5.7.1 Client does not have permissions to send as this sender
quit
221 2.0.0 Service closing transmission channel
When not to remove the permission?
Is there a scenario where one should not remove the ms-exch-smtp-accept-authoritative-domain-sender permission from NT Authority\Anonymous Logon? Yes, on Receive Connectors used by internal or trusted SMTP hosts (such as copiers/scanners and application servers) that submit mail without authentication.
But you do have these internal/trusted hosts submitting to a separate Receive Connector, don't you?
Related posts:
- Exchange Server 2007: How To Allow Relaying
- Removing internal host names and IP addresses from message headers
- Header Firewall: Why spammers can't insert fake SCL (and other Exchange Organization) X headers
Labels: Administration, Anti-Spam, Exchange Server 2007, Exchange Shell, SMTP
5 Comments:
One problem with this -- two major sites, Expedia and PayPal, send out emails with the user's email as the sender.
So travel itineraries and paypal subscription payments get bounced since they're trying to send email to you as you.
I've tried to contact their support dept's as they really shouldn't be doing that, but they haven't changed/fixed it yet.
So, your users will lose emails from those sites with this config :/
Such messages would also run into issues with technologies like SenderID/SPF.
Yes, they would/do....but unless some major site (hotmail/gmail/yahoo) starts enforcing those, then PayPal, Expedia and who knows who else will keep ignoring it.
Users will scream if their travel itineraries bounce though even if the SenderID/SPF fails.
Bharat,
I've got a "smarthost" which is SunSPARC 5 solaris box acting as the email relay to my (HT-CAS-MBX server) so if this device stop, the whole email stopped also.
does that means i should not implement this method ?
thanks for all your posting.
@Albert: If the non-Exchange/external SMTP host configured as a smarthost on a SendConnector is unavailable, outbound mail will queue on your Hub Transport server.
If the server is also the target of MX record(s) for your domain(s), inbound internet mail will not be delivered by remote SMTP hosts. (Most mail servers will queue mail for a preconfigured period - ~2 days - before returning a NDR to the sender).
Mitigation: You can add additional smarthosts - either from within your organization, or those belonging to your ISP/service provider. When multiple smarthosts are added to the same SendConnector, they're load-balanced.
If using a separate Send Connector with a different smarthost as a "backup", you will need to monitor the queues and disable the "primary" Send Connector to have Exchange 2007 switchover to the second Connector. For inbound internet mail, this can be achieved using additional MX record(s) with a higher preference pointing to the additional smarthost(s).
Post a Comment
Links to this post:
Create a Link
<< Home