[AboveTheLogic]

Hi All-

I've done some searches and haven't found quite what I'm looking for- so I apologize if this is right under my nose... but...

I'm running Exchange 2003 on Windows Server 2003 and am in the middle of migrating to Exchange 2007 on Windows Server 2008.

The problem I'm running into (unrelated to the migration) is that users are receiving spam from clever spammers using the recipient's email address as the "from".

For example, my email address "user@mydomain.com" is getting spam FROM "user@mydomain.com".

I did some poking around and discovered that even though my server is not allowing email relaying (you need to authenticate to send email outside of mydomain.com), it does allow sending within my domain without authentication.

So, this allows anyone who has an email address of someone within my organization to send that person an email using their own email address --- or even some other email address as long as it ends with @mydomain.com.

How can I restrict this? I noticed that with some other email applications, this is still allowed although the server is smart enough to notice these email and put them in junk.

In my mind this is a major security hole, anyone with some words of wisdom or a direction to point me towards?

Thanks!

[Sembee]

Not a security hole at all. This is how SMTP email is designed to work.
All spam is spoofed and using the same domain as the recipient is one of the oldest spammers tricks. It is also hard to stop effectively, because of the amount of the "send to friend" which effectively spoof the email.

If you have an antispam application it should be dealing with these as any other spam. Ensure that you haven't white-listed your own domain (which is why the spammers do it). If you aren't using an antispam application then you will need to look at putting one in place.

There are no settings you can apply to a native Exchange server without third party software that will stop these kinds of messages - they are just spam.

Simon.

[v-2nas]

Hi

Check this setting,

SMTP Protocol > Properties > Access > Authenticate > Users
Under this only authenticated users SHUD have ONLY submit permission.
verify this option

[FischFra]

Since you worte you are migrating to E2007: If you are using a Edgeserver you can implement the SPF record for your domain and activate the setting to reject failed SPF checks. This will effectivly stop those kind of spams.

[AboveTheLogic]

Thank you all very much for your replies, you have given me some great insight into how to solve this problem.

I had anti-spam installed on the 2003 installation but it expired, and since I'm migrating to 2007 I didn't renew. I adjusted some of the built-in anti-spam functions of Exchange 2003 but they are just not cutting it, obviously.

I plan to implement an edge server with our new 2007 setup, and I'm glad to hear that I can block these kinds of spams using it.

Regardless, I intend to shop around and can spend money if needed to implement a good anti-spam solution on the Exchange 2007 server when it goes live. Does anyone have any suggestions? We were running Trend-Micro Client Server Messaging Security on Exchange 2003 and it was OK, but not great.

Thanks again

[Sembee]

SPF records I find are close to useless. If you use them as a hard failure then you will find that you are dropping a lot of email. Edge servers are also a waste of time in my opinion, I can achieve almost the entire feature set with third party products for much less than an Exchange licence (the only that I cannot is aggregated safe senders list, but I wouldn't trust users to control that anyway).

Simon.

[crobertson]

I have come up with a simple way to fix this. Similar to keyword verification, set everyone to have a signature and they are required to include the signature on all emails. Even if they don't include their names, put in place a keyword.
Then require all emails from that domain require this keyword. I don't have exchange server, but we use this in email filtering.