Spoofing happens more often now a days. For the people who don’t know what spoofing is: with spoofing spammers will use an internal address that are hosted by your mailserver to send a message to a user internally. With this method it looks like another user is sending spam to an existing user in your environment. When you will investigate the headers of the mail you will see that the mail is send via an external IP-address.

But how do you prevend this kind of spam ? The best option is to use SPF records. This are records that are placed in your DNS which containts all the servers who are authorized to send mail from. If you don’t have a SPF record yet the following site will help you make one.

An other method that can be used with Exchange 2007 is removing the privileges from the send connector which is used for receiving mail from the internet. With this you will prevent that external people will use your domainname to send mail to your mailserver.

Get-ReceiveConnector 'Internet' | Get-ADPermission -user 'NT AUTHORITY\Anonymous Logon' | where {$_.ExtendedRights -like 'ms-exch-smtp-accept-authoritative-domain-sender'} | Remove-ADPermission

The Powershell command above will remove the rights for the anonymous logon to send mail to as an internal user to an internal user.

Keep in mind there a few disadvantages. Sites such as Paypal will use the mail address of the user to send a mail to the user. This mail will not be delivered anymore.  Sometimes people don’t make seperate connectors for special devices such as a copier with mail functionality. This will also not work anymore. The advice for the last case is to create a seperate receive connector for this kind of stuff.


Johan Veldhuis