How can I prevent spoofed emails from outside thats using my internal accepted domain
You need to remove permission to bypass the sender address spoofing check by running:
Get-ReceiveConnector "name of the internet receive connector" | Get-ADPermission -user "NT AUTHORITY\Anonymous Logon" | where {$_.ExtendedRights -like "ms-exch-smtp-accept-authoritative-domain-sender"} | Remove-ADPermission
If that doesn't solve the problem (i.e for Exchange 2013 CU5+), you should do the following:
Block your own domain with
Set-SenderFilterConfig -BlockedDomains mydomain.com
Set-SenderFilterConfig -InternalMailEnabled $true
Remove ms-Exch-SMTP-Accept-Any-Sender for anonymous users with
Get-ReceiveConnector "name of the internet receive connector" | Get-ADPermission -user "NT AUTHORITY\Anonymous Logon" | where {$_.ExtendedRights -like "ms-Exch-SMTP-Accept-Any-Sender"} | Remove-ADPermission
Allow open relay from LAN (if needed) with:
Get-ReceiveConnector "name of your LAN Open Relay connector" | add-ADPermission -user "NT AUTHORITY\Anonymous Logon" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Sender"
P.S. Make sure to restart transport service after those operations.
Related videos on Youtube
Niklas J. MacDowall
I'm working as a Senior Cloud Architect and like to dig into various automations and solutions, mostly within Microsoft 365, Azure, Exchange and Active Directory. I like fixing things that hasn't been solved before. My participation and interest is extensively and primarily Shell scripts, .NET, Batch files, PowerShell and MS-DOS related tags, specifically prodigious scripts.
Updated on September 18, 2022Comments
-
Niklas J. MacDowall almost 2 years
I'm receiving spam emails sent from my own domain to my own domain. I'm using Exchange 2013.
Example:
[email protected] is being used to send spam to [email protected].
I can successfully replicate the issue by telneting to the server from any external IP.
telnet <external-ip-of-server> 25 helo anydomain.com 250 myserver.mydomain.com Hello [External-IP] mail from:[email protected] 250 2.1.0 Sender OK rcpt to:[email protected] 250 2.1.5 Recipient OK data 354 Start mail input; end with <CRLF>.<CRLF> some text here . 250 2.6.0 <[email protected]> [InternalId=20890720927751, Hostname=myserver.mydomain.com] Queued mail for delivery
I have a SPF-record setup like this:
v=spf1 ip4:External.IP.of.MyServer -all
I also have SenderID enabled on the Exchange 2013-server like this:
[PS] C:\Windows\system32>get-senderidconfig | fl RunspaceId : 9be45249-1186-42b4-9e4e-3bc5a56c0c63 SpoofedDomainAction : Reject TempErrorAction : StampStatus BypassedRecipients : {} BypassedSenderDomains : {} Name : SenderIdConfig Enabled : True ExternalMailEnabled : True InternalMailEnabled : False AdminDisplayName : ExchangeVersion : 0.1 (8.0.535.0) DistinguishedName : CN=SenderIdConfig,CN=Message Hygiene,CN=Transport Settings,CN=MyOrganization,CN=Microsoft Exchange,CN=S ervices,CN=Configuration,DC=mydomain,DC=com Identity : SenderIdConfig Guid : e85c9acb-579e-4d92-bde7-03ac2dd9beac ObjectCategory : mydomain.com/Configuration/Schema/ms-Exch-Message-Hygiene-Sender-ID-Config ObjectClass : {top, msExchAgent, msExchMessageHygieneSenderIDConfig} WhenChanged : 2015-12-08 10:23:24 WhenCreated : 2014-02-15 13:37:30 WhenChangedUTC : 2015-12-08 09:23:24 WhenCreatedUTC : 2014-02-15 12:37:30 OrganizationId : Id : SenderIdConfig OriginatingServer : mydc.mydomain.com IsValid : True ObjectState : Unchanged
How can I prevent this type of spam without using any External Anti-Spam services?
-
gxx over 8 yearsSorry, I've overlooked the fact that SPF is already in place, so my answer was quite pointless. I've deleted it.
-
-
Niklas J. MacDowall over 8 yearsI did find that too by Googling around for half a day. It didnt fix it. Do I need to restart the transport service after perhaps?
-
Anubioz over 8 yearsYes, you should restart the transport service (according to this)
-
Niklas J. MacDowall over 8 yearsI do not see it listed as a requirement for configuring the above in your answer. But I will try it anyway.
-
Anubioz over 8 yearsBasically transport service restart is only required when you enable anti-spam agents/functionality (which is required for using any of the built-in anti-spam features). After that you should be able to change anti-spam settings without restarting the transport. I assumed you have restarted it already, so I didn't list it as a requirement in my answer. Anyway, can you try restarting it now and see if it helps?
-
Niklas J. MacDowall over 8 yearsI removed
ms-exch-smtp-accept-authoritative-domain-sender
and restarted Exchange Transport Service, but the issue is still the same. -
Anubioz over 8 yearsCan you please run
Set-SenderIdConfig -InternalMailEnabled $True
andSet-SenderfilterConfig -InternalMailEnabled $True
and see if it helps? -
Anubioz over 8 yearsLet us continue this discussion in chat.
-
Niklas J. MacDowall over 8 yearsI managed to solve the issue by blocking my own accepted domain in the SenderFilterConfig.
Set-SenderFilterConfig -BlockedDomains mydomain.com
Set-SenderFilterConfig -InternalMailEnabled $true