Auth Sender Spoofing email address?

Hi All,

I am facing this scenario on Exchange 2010 SP2:

domain\user1 that is a legitimate domain user is authenticating to Exchange Server and sending email using a spoofed email address (that doesn't exist on the system) to send spam (his account pwd has been compromised and they are working on it) in the meantime, how can I prevent the user from using a spoofed email address?

The SMTP transcript is as follows (I obfuscated it for obvius reasons)


EXSERVER\Default EXSERVER,08D276A95907A720,0,10.1.0.6:25,16.16.11.15:61880,+,,
EXSERVER\Default EXSERVER,08D276A95907A720,1,10.1.0.6:25,16.16.11.15:61880,*,SMTPSubmit SMTPAcceptAnySender AcceptRoutingHeaders,Set Session Permissions
EXSERVER\Default EXSERVER,08D276A95907A720,2,10.1.0.6:25,16.16.11.15:61880,>,220 mail.domain.com,
EXSERVER\Default EXSERVER,08D276A95907A720,3,10.1.0.6:25,16.16.11.15:61880,<,EHLO User,
EXSERVER\Default EXSERVER,08D276A95907A720,4,10.1.0.6:25,16.16.11.15:61880,>,250-EXSERVER.domain.net Hello [16.16.11.15],
EXSERVER\Default EXSERVER,08D276A95907A720,5,10.1.0.6:25,16.16.11.15:61880,>,250-SIZE,
EXSERVER\Default EXSERVER,08D276A95907A720,6,10.1.0.6:25,16.16.11.15:61880,>,250-PIPELINING,
EXSERVER\Default EXSERVER,08D276A95907A720,7,10.1.0.6:25,16.16.11.15:61880,>,250-DSN,
EXSERVER\Default EXSERVER,08D276A95907A720,8,10.1.0.6:25,16.16.11.15:61880,>,250-ENHANCEDSTATUSCODES,
EXSERVER\Default EXSERVER,08D276A95907A720,9,10.1.0.6:25,16.16.11.15:61880,>,250-STARTTLS,
EXSERVER\Default EXSERVER,08D276A95907A720,10,10.1.0.6:25,16.16.11.15:61880,>,250-X-ANONYMOUSTLS,
EXSERVER\Default EXSERVER,08D276A95907A720,11,10.1.0.6:25,16.16.11.15:61880,>,250-AUTH NTLM LOGIN,
EXSERVER\Default EXSERVER,08D276A95907A720,12,10.1.0.6:25,16.16.11.15:61880,>,250-X-EXPS GSSAPI NTLM,
EXSERVER\Default EXSERVER,08D276A95907A720,13,10.1.0.6:25,16.16.11.15:61880,>,250-8BITMIME,
EXSERVER\Default EXSERVER,08D276A95907A720,14,10.1.0.6:25,16.16.11.15:61880,>,250-BINARYMIME,
EXSERVER\Default EXSERVER,08D276A95907A720,15,10.1.0.6:25,16.16.11.15:61880,>,250-CHUNKING,
EXSERVER\Default EXSERVER,08D276A95907A720,16,10.1.0.6:25,16.16.11.15:61880,>,250-XEXCH50,
EXSERVER\Default EXSERVER,08D276A95907A720,17,10.1.0.6:25,16.16.11.15:61880,>,250-XRDST,
EXSERVER\Default EXSERVER,08D276A95907A720,18,10.1.0.6:25,16.16.11.15:61880,>,250 XSHADOW,
EXSERVER\Default EXSERVER,08D276A95907A720,19,10.1.0.6:25,16.16.11.15:61880,<,AUTH LOGIN,
EXSERVER\Default EXSERVER,08D276A95907A720,20,10.1.0.6:25,16.16.11.15:61880,>,334 <authentication response>,
EXSERVER\Default EXSERVER,08D276A95907A720,21,10.1.0.6:25,16.16.11.15:61880,>,334 <authentication response>,
EXSERVER\Default EXSERVER,08D276A95907A720,22,10.1.0.6:25,16.16.11.15:61880,*,SMTPSubmit SMTPAcceptAnyRecipient SMTPAcceptAuthoritativeDomainSender BypassAntiSpam AcceptRoutingHeaders,Set Session Permissions
EXSERVER\Default EXSERVER,08D276A95907A720,23,10.1.0.6:25,16.16.11.15:61880,*,domain\user1,authenticated
EXSERVER\Default EXSERVER,08D276A95907A720,24,10.1.0.6:25,16.16.11.15:61880,>,235 2.7.0 Authentication successful,
EXSERVER\Default EXSERVER,08D276A95907A720,25,10.1.0.6:25,16.16.11.15:61880,<,RSET,
EXSERVER\Default EXSERVER,08D276A95907A720,26,10.1.0.6:25,16.16.11.15:61880,>,250 2.0.0 Resetting,
EXSERVER\Default EXSERVER,08D276A95907A720,27,10.1.0.6:25,16.16.11.15:61880,<,MAIL FROM:<officialemail@domain.com>,
EXSERVER\Default EXSERVER,08D276A95907A720,28,10.1.0.6:25,16.16.11.15:61880,*,08D276A95907A720;2015-06-17T02:52:29.721Z;1,receiving message
EXSERVER\Default EXSERVER,08D276A95907A720,29,10.1.0.6:25,16.16.11.15:61880,>,250 2.1.0 Sender OK,
EXSERVER\Default EXSERVER,08D276A95907A720,30,10.1.0.6:25,16.16.11.15:61880,<,RCPT TO:<spammed@highveldmail.co.za>,
EXSERVER\Default EXSERVER,08D276A95907A720,31,10.1.0.6:25,16.16.11.15:61880,>,250 2.1.5 Recipient OK,
EXSERVER\Default EXSERVER,08D276A95907A720,130,10.1.0.6:25,16.16.11.15:61880,<,DATA,
EXSERVER\Default EXSERVER,08D276A95907A720,131,10.1.0.6:25,16.16.11.15:61880,>,354 Start mail input; end with <CRLF>.<CRLF>,
EXSERVER\Default EXSERVER,08D276A95907A720,132,10.1.0.6:25,16.16.11.15:61880,*,Tarpit for '0.00:00:00.828' due to 'DelayedAck',Skipped;QueueLength=914>=100;NextHopDomain=[10.8.0.101]
EXSERVER\Default EXSERVER,08D276A95907A720,133,10.1.0.6:25,16.16.11.15:61880,>,250 2.6.0 <8976f145-897e-4bca-8053-f3615e9db633@EXSERVER.domain.net> [InternalId=9797778] Queued mail for delivery,
EXSERVER\Default EXSERVER,08D276A95907A720,134,10.1.0.6:25,16.16.11.15:61880,<,QUIT,
EXSERVER\Default EXSERVER,08D276A95907A720,135,10.1.0.6:25,16.16.11.15:61880,>,221 2.0.0 Service closing transmission channel,
EXSERVER\Default EXSERVER,08D276A95907A720,136,10.1.0.6:25,16.16.11.15:61880,-,,Local

I checked with Get-AdPermission if NT AUTHORITY\AUTHENTICATED USERS is granted with ms-Exch-SMTP-Accept-Any-Sender on the receive connector but is not.

What am I missing?

Many thanks

June 17th, 2015 8:20am

Two possible solution to fix this spam.

Block this connecting IP 16.16.11.15 in your black list.

Disable that compromised account for a while, and then enable  it by resetting a strong complex password 

Free Windows Admin Tool Kit Click here and download it now
June 22nd, 2015 9:27am

Sathish, thanks for your answer. Those actions are already implemented but that is not the solution because the ip changes and as I said we are in the process of cleaning the devices of the user.

June 24th, 2015 3:20pm

Hi Andres,

Can you please check this if you have enabled this option in your default receive connector 

-ExtendedRights Ms-Exch-SMTP-Accept-Any-Recipient

Free Windows Admin Tool Kit Click here and download it now
June 25th, 2015 2:05am

This is the output of 

get-adpermission <DN of receive connector> |? {$_.extendedrights} |? {[string]$_.extendedrights -match "Ms-Exch-SMTP-Accept-Any-Recipient"} | select user,extendedrights

User                                    ExtendedRights
----                                    --------------
NT AUTHORITY\Authenticated Users        {ms-Exch-SMTP-Accept-Any-Recipient}
DOMAIN\Exchange Servers                 {ms-Exch-SMTP-Accept-Any-Recipient}
DOMAIN\ExchangeLegacyInterop            {ms-Exch-SMTP-Accept-Any-Recipient}
MS Exchange\Hub Transport Servers       {ms-Exch-SMTP-Accept-Any-Recipient}
MS Exchange\Edge Transport Servers      {ms-Exch-SMTP-Accept-Any-Recipient}
MS Exchange\Externally Secured Servers  {ms-Exch-SMTP-Accept-Any-Recipient}

So, I think I have to revoke ms-Exch-SMTP-Accept-Any-Recipient for NT AUTHORITY\Authenticated Users 

June 30th, 2015 8:55am
I am sorry but isn't ms-Exch-SMTP-Accept-Any-Sender the correct permission to look at, for this situation?
Free Windows Admin Tool Kit Click here and download it now
June 30th, 2015 9:14am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics