Last months you may receive spam which looks like to be sent from an account from your own domain. When you investigate the issue you will discover that this it not the case. But why does Exchange doesn’t do something with this kind of spam. I found the answer on Exchangepedia blog. Each mail which is received from the internet will be accepted with the anonymous user, when removing this user from the connector you won’t be able to receive mail from the internet. This account has some rights which are needed, one of these rights is the Ms-Exch-Accept-Authoritative-Domain-Sender which ensure that every session which contains a message from an authoritative domain will not be checked.
To prevent this you will need to remove some rights from the connector by using the following command:
Get-ReceiveConnector “Internet” | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | Remove-ADPermission
Please keep in mind that this also will have some consequences for other applications/devices which will use this connector using the anonymous user. For this application/devices you will need to create a separate connector.
Gepost in Exchange 2007 ~ Geen Reactie
Spoofing happens more often now a days. For the people who don’t know what spoofing is: with spoofing spammers will use an internal address that are hosted by your mailserver to send a message to a user internally. With this method it looks like another user is sending spam to an existing user in your environment. When you will investigate the headers of the mail you will see that the mail is send via an external IP-address.
But how do you prevend this kind of spam ? The best option is to use SPF records. This are records that are placed in your DNS which containts all the servers who are authorized to send mail from. If you don’t have a SPF record yet the following site will help you make one.
An other method that can be used with Exchange 2007 is removing the privileges from the send connector which is used for receiving mail from the internet. With this you will prevent that external people will use your domainname to send mail to your mailserver.
Get-ReceiveConnector “Internet” | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | Remove-ADPermission
The Powershell command above will remove the rights for the anonymous logon to send mail to as an internal user to an internal user.
Keep in mind there a few disadvantages. Sites such as Paypal will use the mail address of the user to send a mail to the user. This mail will not be delivered anymore. Sometimes people don’t make seperate connectors for special devices such as a copier with mail functionality. This will also not work anymore. The advice for the last case is to create a seperate receive connector for this kind of stuff.
Gepost in Exchange 2007 ~ 2 Reacties
The amount of SPAM messages containing PDF files with spam has decreased this month. According to Sophos this can only mean one thing, this type of SPAM doesn’t work. On the 7 of August there was an increase of the amount of spam messages. The cause ot this was the PDF spam that then was used, since then the amount of spam has decreased.
Gepost in Blog ~ Geen Reactie
