Preventing External Spoofed Spam From Authoritative Address Spaces or Domains
13 Apr 2008I’ve been receiving a very particular kind of spam lately - one where the sender was spoofed as myself.
My SPF records already would FAIL or SOFTFAIL (using ~all or -all, I tried both):
X-MS-Exchange-Organization-PRD: justinho.com
Received-SPF: SoftFail (EXETER.jupiterstation.justinho.com: domain of transitioning justinho.com discourages use of 83.237.188.247 as permitted sender)
But the problem was, the sender was myself, and so I was on my own safe list. And safe lists override everything, setting the SCL to -1. So the email never went into my Junk mailbox.
X-MS-Exchange-Organization-Antispam-Report: SenderOnRecipientSafeList
X-MS-Exchange-Organization-SCL: -1
X-MS-Exchange-Organization-SenderIdResult: SOFTFAIL
It seems that Exchange 2007 Edge (SP1, at least) servers seem to create Internet connectors, by default, with the “ms-Exch-SMTP-Accept-Authoritative-Domain-Sender” permission granted. The “ms-Exch-SMTP-Accept-Authoritative-Domain-Sender” right essentially says, “accept email from users that claim to be from domains that I am authoritative for,” as per http://technet.microsoft.com/en-us/library/aa997170.aspx
So I took the permission away from my internet Receive-Connector on my Edge server. (I named my Internet-facing Receive-Connector “InternetInbound” in this example, so to eliminate the need for quotation marks due to spacing)
>remove-ADPermission -Identity InternetInbound -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights ms-Exch-SMTP-Accept-Authoritative-Domain-Sender
Confirm
Are you sure you want to perform this action?
Removing Active Directory permission "InternetInbound" for user "NTAUTHORITY\ANONYMOUS LOGON" with access rights "'ms-Exch-SMTP-Accept-Authoritative-Domain-Sender'".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help
(default is "Y"):a
Result: When sending a MAIL FROM: field that contains an email address that the Edge box is authoritative for, emails are rejected.
cairo.justinho.com #<cairo.justinho.com #5.7.1 smtp; 550 5.7.1 Anonymous client does not have permissions to send as this sender> #SMTP#
I suggest you enable protocol logging for the first few days to ensure everything is working smoothly:
>set-ReceiveConnector -Identity "EXETER\InternetInbound" -ProtocolLoggingLevel 1
You can add the permission back if you don’t like the result:
>add-ADPermission -Identity InternetInbound -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights ms-Exch-SMTP-Accept-Authoritative-Domain-Sender
You can also check the current “Extended” permissions applied to all Receive-Connector objects on a particular server: (formatted here to grab only the columns you’re interested in. You’re welcome.)
> Get-ReceiveConnector | Get-ADPermission | table identity,user,ExtendedRights -wrap
Considerations:
- Before implementing, ensure that you don’t EXPECT to receive emails from anonymous/unauthenticated connections, from the Internet/over this connector, from any domains that your Exchange is authoritative for. Note that you can control the authentication requirement via the -User switch, so that authenticated users are still able to do this. For this purpose (if you have external clients submitting via SMTP/SMTPS) I would create another connector that has authentication enabled, and ensure the Internet connector just has “anonymous” permissions for submission.
- This is potentially exposing your authortative domains to harvesting attacks; it is possible for an external ‘sender’ to try all domains against the Edge server to determine which domains it is authoritative for. Exchange will block/blacklist these connections after a certain number of attempts (see MaxLogonFailures, MaxProtocolErrors and TarpitInterval), but the risk is still present.
- By hard rejecting these connections instead of blackholing, you’re saving resources (no point in junking emails that clearly aren’t from you) but the reject allows the spammer to quickly recover and try again.
- I’m sure there are more… but I am going to bed now. =)