HOW TO ;Prevent a…

One of themore annoying types of spam is the one that seems to be coming fromyour own domain; or worse— from your own email address! Of course,users from your own domain don’t generally spam each other— unlessyou’re using one of the free web-based email services. And most ofus don’t spam ourselves.

Obviously, thisis coming from a spammer who has spoofed your email address, orthat of someone else from your domain.Unfortunately, SMTP—the protocol that allows mail clients and servers to exchangeemail, allows headers to be spoofed easily.

In ExchangeServer 2007, AcceptedDomains tell Exchange which domains toaccept email for. If a domain – e12labs.com inthis example, exists as an AcceptedDomain, there is no reason external senders should use thatdomain in the MAIL or FROM headers.

You may haveremote POP3/IMAP4 users who use SMTP to send mail. However, suchsessions should be authenticated, and preferably use a separateReceive Connector.

Thanks to theextensive TransportPermissions model in Exchange 2007, we caneasily prevent such spam. Receive Connectors havethe ms-exch-smtp-accept-authoritative-domain-sender permissionwhich dictates whether an Accepted Domain can be used inthe MAIL or FROM headers.External/internet hosts submit mail to your server withoutauthentication, as anonymous senders. To prevent anonymous sendersfrom sending mail using your domain(s), we need to removethe ms-exch-smtp-accept-authoritative-domain-sender permissionassigned to them.

Use the followingcommand to remove the ms-exch-smtp-accept-authoritative-domain-senderpermissionfrom NTAuthority\Anonymous Logon oninternet-facing Receive Connector(s):

Get-ReceiveConnector “My Internet ReceiveConnector” |Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where{$_.ExtendedRights -like“ms-exch-smtp-accept-authoritative-domain-sender”} |Remove-ADPermission

Once thispermission is removed, when anonymous senders try to submit mailusing your Accepted Domain(s), here’s how the SMTP conversationgoes:

220 E12Postcard.e12labs.com Microsoft ESMTP MAIL Service ready atWed, 3 Sep 2008 06:22:43 -0700
helo
250 E12Postcard.e12labs.com Hello [172.31.0.170]
mailfrom:jadams@e12labs.com
5505.7.1 Client does not have permissions to send as thissender

Exchange stoppedspoofing of P1/envelope headers. Let’s continue the session and tryto spoof the P2 headers (the ones inthe DATA part of the message) — maybethat’ll work!

mailfrom:someone@someotherdomain.com
250 2.1.0 Sender OK
rcpt to:jadams@e12labs.com
250 2.1.5 Recipient OK
data
354 Start mail input; end with .
from:jadams@e12labs.com
subject: Header spoofing

This is how wespoof headers, spoof headers.

.
5505.7.1 Client does not have permissions to send as thissender
quit
221 2.0.0 Service closing transmission channel

As you can see,removing the ms-exch-smtp-accept-authoritative-domain-sender permissionstops spoofing of your domains in both envelope (P1) and message(P2) headers.

Whennot to remove the permission?
Is there a scenario where one should not removethe ms-exch-smtp-accept-authoritative-domain-sender permissionfrom NTAuthority\Anonymous Logon? Yes, on Receive Connectors usedby internal or trusted SMTP hosts (such ascopiers/scanners and applicationservers) that submitmail withoutauthentication.

But you do havethese internal/trusted hosts submitting to a separate ReceiveConnector, don’t you?