5

I'm receiving spam emails sent from my own domain to my own domain. I'm using Exchange 2013.

Example:

myemail@mydomain.com is being used to send spam to myemail@mydomain.com.

I can successfully replicate the issue by telneting to the server from any external IP.

telnet <external-ip-of-server> 25
helo anydomain.com
250 myserver.mydomain.com Hello [External-IP]
mail from:myemail@mydomain.com
250 2.1.0 Sender OK
rcpt to:myemail@mydomain.com
250 2.1.5 Recipient OK
data
354 Start mail input; end with <CRLF>.<CRLF>
some text here
.
250 2.6.0 <f64fd0bdf5c2460087b95c3ab343ef80@myserver.mydomain.com> [InternalId=20890720927751, Hostname=myserver.mydomain.com] Queued mail for delivery

I have a SPF-record setup like this: v=spf1 ip4:External.IP.of.MyServer -all

I also have SenderID enabled on the Exchange 2013-server like this:

[PS] C:\Windows\system32>get-senderidconfig | fl


RunspaceId            : 9be45249-1186-42b4-9e4e-3bc5a56c0c63
SpoofedDomainAction   : Reject
TempErrorAction       : StampStatus
BypassedRecipients    : {}
BypassedSenderDomains : {}
Name                  : SenderIdConfig
Enabled               : True
ExternalMailEnabled   : True
InternalMailEnabled   : False
AdminDisplayName      :
ExchangeVersion       : 0.1 (8.0.535.0)
DistinguishedName     : CN=SenderIdConfig,CN=Message Hygiene,CN=Transport Settings,CN=MyOrganization,CN=Microsoft Exchange,CN=S
                        ervices,CN=Configuration,DC=mydomain,DC=com
Identity              : SenderIdConfig
Guid                  : e85c9acb-579e-4d92-bde7-03ac2dd9beac
ObjectCategory        : mydomain.com/Configuration/Schema/ms-Exch-Message-Hygiene-Sender-ID-Config
ObjectClass           : {top, msExchAgent, msExchMessageHygieneSenderIDConfig}
WhenChanged           : 2015-12-08 10:23:24
WhenCreated           : 2014-02-15 13:37:30
WhenChangedUTC        : 2015-12-08 09:23:24
WhenCreatedUTC        : 2014-02-15 12:37:30
OrganizationId        :
Id                    : SenderIdConfig
OriginatingServer     : mydc.mydomain.com
IsValid               : True
ObjectState           : Unchanged

How can I prevent this type of spam without using any External Anti-Spam services?

Niklas J. MacDowall
  • 153
  • 1
  • 1
  • 6
  • Sorry, I've overlooked the fact that SPF is already in place, so my answer was quite pointless. I've deleted it. – gxx Dec 08 '15 at 11:44

1 Answers1

5

You need to remove permission to bypass the sender address spoofing check by running:

Get-ReceiveConnector "name of the internet receive connector" | Get-ADPermission -user "NT AUTHORITY\Anonymous Logon" | where {$_.ExtendedRights -like "ms-exch-smtp-accept-authoritative-domain-sender"} | Remove-ADPermission

If that doesn't solve the problem (i.e for Exchange 2013 CU5+), you should do the following:

  1. Block your own domain with

    Set-SenderFilterConfig -BlockedDomains mydomain.com

    Set-SenderFilterConfig -InternalMailEnabled $true

  2. Remove ms-Exch-SMTP-Accept-Any-Sender for anonymous users with

    Get-ReceiveConnector "name of the internet receive connector" | Get-ADPermission -user "NT AUTHORITY\Anonymous Logon" | where {$_.ExtendedRights -like "ms-Exch-SMTP-Accept-Any-Sender"} | Remove-ADPermission

  3. Allow open relay from LAN (if needed) with:

    Get-ReceiveConnector "name of your LAN Open Relay connector" | add-ADPermission -user "NT AUTHORITY\Anonymous Logon" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Sender"

P.S. Make sure to restart transport service after those operations.

Anubioz
  • 3,597
  • 17
  • 23
  • I did find that too by Googling around for half a day. It didnt fix it. Do I need to restart the transport service after perhaps? – Niklas J. MacDowall Dec 08 '15 at 11:41
  • Yes, you should restart the transport service (according to [this](https://technet.microsoft.com/en-us/library/bb201691%28v=exchg.150%29.aspx)) – Anubioz Dec 08 '15 at 11:47
  • I do not see it listed as a requirement for configuring the above in your answer. But I will try it anyway. – Niklas J. MacDowall Dec 08 '15 at 11:51
  • Basically transport service restart is only required when you [enable anti-spam agents/functionality](https://technet.microsoft.com/en-us/library/bb201691(v=exchg.150).aspx) (which is required for using any of the built-in anti-spam features). After that you should be able to change anti-spam settings without restarting the transport. I assumed you have restarted it already, so I didn't list it as a requirement in my answer. Anyway, can you try restarting it now and see if it helps? – Anubioz Dec 08 '15 at 12:04
  • I removed `ms-exch-smtp-accept-authoritative-domain-sender` and restarted Exchange Transport Service, but the issue is still the same. – Niklas J. MacDowall Dec 08 '15 at 12:18
  • Can you please run `Set-SenderIdConfig -InternalMailEnabled $True` and `Set-SenderfilterConfig -InternalMailEnabled $True` and see if it helps? – Anubioz Dec 08 '15 at 12:34
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/32674/discussion-between-anubioz-and-niklasj). – Anubioz Dec 08 '15 at 13:15
  • I managed to solve the issue by blocking my own accepted domain in the SenderFilterConfig. `Set-SenderFilterConfig -BlockedDomains mydomain.com` `Set-SenderFilterConfig -InternalMailEnabled $true` – Niklas J. MacDowall Dec 08 '15 at 15:23
  • 1
    Actually, I did not have to remove `ms-Exch-SMTP-Accept-Any-Sender` from Anynomous Users on my receive connector. I did however remove `ms-exch-smtp-accept-authoritative-domain-sender` – Niklas J. MacDowall Dec 09 '15 at 07:46