3

I have an interesting issue with Exchange where it appears to check and stamp spoofed messages from external domains but not ones it has setup to send from. For example I can spoof a message from 1@example.com where example.com has a valid SPF record and Exchange will check it and mark it as Junk in Outlook. When I send a spoofed email from 1@mycompany.com Exchange does not appear to check the SPF as it doesn't get moved to Junk.

The environment is Exchange 2013 with two SPF records one on the external DNS and one on the internal with some extra IP's so printers etc can function. The internal record was necessary because both the internal domain and external are the same. nslookup on the exchange servers shows the text record for mydomain.com

v=spf1 include:spf.hes.trendmicro.com -all
v=spf1 ip4:10.0.0.1/16 ip4:$external include:spf.hes.trendmicro.com -all

The exchange SenderIdConfig is as below

RunspaceId            : e71ca342-a96a-4af4-a278-e423c3952af9
SpoofedDomainAction   : StampStatus
TempErrorAction       : StampStatus
BypassedRecipients    : {}
BypassedSenderDomains : {}
Name                  : SenderIdConfig
Enabled               : True
ExternalMailEnabled   : True
InternalMailEnabled   : False

I have tested with InternalMailEnabled set to $true but that doesn't seem to help and frankly I'm running out of ideas as to whats going on here.

If anyone is interested or if it makes any difference I'm spoofing the messages using mutt on my own webserver so definitely not covered by the SPF records in any way and the reason I'm trying to do this is that a scammer managed to spoof their way to almost getting some financial info from one of our accountants by pretending to be the CEO.

If anyone can provide some advice on what I can change or where I can look for more info on whats happening to the messages I would be much obliged.

1 Answers1

1

Ok this is not strictly an answer to the original question but it acheived the original outcome for me which was to stop people from being able to spoof the companies domain when sending to that company.

The answer a simple transport rule that specifies if a message "from" header contains "@company.com" and the message originates from outside the organization do something to mark is as spoofed. All credit goes to Caltaru Mihai from Technet