Preventing External Spoofed Spam From Authoritative Address Spaces or Domains

I’ve been receiving a very particular kind of spam lately - one where the sender was spoofed as myself.

My SPF records already would FAIL or SOFTFAIL (using ~all or -all, I tried both):

X-MS-Exchange-Organization-PRD: justinho.com Received-SPF: SoftFail (EXETER.jupiterstation.justinho.com: domain of transitioning justinho.com discourages use of 83.237.188.247 as permitted sender)

But the problem was, the sender was myself, and so I was on my own safe list. And safe lists override everything, setting the SCL to -1. So the email never went into my Junk mailbox.

X-MS-Exchange-Organization-Antispam-Report: SenderOnRecipientSafeList X-MS-Exchange-Organization-SCL: -1 X-MS-Exchange-Organization-SenderIdResult: SOFTFAIL

It seems that Exchange 2007 Edge (SP1, at least) servers seem to create Internet connectors, by default, with the “ms-Exch-SMTP-Accept-Authoritative-Domain-Sender” permission granted. The “ms-Exch-SMTP-Accept-Authoritative-Domain-Sender” right essentially says, “accept email from users that claim to be from domains that I am authoritative for,” as per http://technet.microsoft.com/en-us/library/aa997170.aspx

So I took the permission away from my internet Receive-Connector on my Edge server. (I named my Internet-facing Receive-Connector “InternetInbound” in this example, so to eliminate the need for quotation marks due to spacing)

remove-ADPermission -Identity InternetInbound -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights ms-Exch-SMTP-Accept-Authoritative-Domain-Sender

Confirm Are you sure you want to perform this action? Removing Active Directory permission “InternetInbound” for user “NTAUTHORITY\ANONYMOUS LOGON” with access rights “‘ms-Exch-SMTP-Accept-Authoritative-Domain-Sender’”. [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is “Y”):a

Result: When sending a MAIL FROM: field that contains an email address that the Edge box is authoritative for, emails are rejected.

cairo.justinho.com #<cairo.justinho.com #5.7.1 smtp; 550 5.7.1 Anonymous client does not have permissions to send as this sender> #SMTP#

I suggest you enable protocol logging for the first few days to ensure everything is working smoothly:

set-ReceiveConnector -Identity “EXETER\InternetInbound” -ProtocolLoggingLevel 1

You can add the permission back if you don’t like the result:

add-ADPermission -Identity InternetInbound -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights ms-Exch-SMTP-Accept-Authoritative-Domain-Sender

You can also check the current “Extended” permissions applied to all Receive-Connector objects on a particular server: (formatted here to grab only the columns you’re interested in. You’re welcome.)

Get-ReceiveConnector Get-ADPermission table identity,user,ExtendedRights -wrap

Considerations: