I can send email as ANYONE in my GAL! How do I stop this?
I have created a new user account in Active Direcory which I will only be using as a mailbox. I then added the mailbox into my Outlook so that I can see my Inbox and the Inbox of the other account. When I send an email to the other account it shows up in the Inbox. When I open that email and reply I can click the From button and it will open up my Global Address List. I can make this email look like it's coming from anyone on my GAL. If the users find out about this...not good. How do I lock this down?
August 20th, 2008 2:13am
Did you try by sending a mail to your mailbox from anyone in GAL? It doesnt allow and will say that you dont have permissions to send from this address unless you have send as permission on the mailbox which you are keeping in From field.
August 20th, 2008 3:11am
Yes, I tried sending an email to myself as someone else and it does work. I get the email and it looks like it's from someone else. There has to be a permissions problem here but I can't seem to find it.
August 20th, 2008 6:17pm
Check and make sure that Everyone doesn't have send as permission at server/store/mailbox level. Open ADSIEdit.msc and go to below path (You can do same thing in ESM also) Configuration -> CN=Services -> CN=Microsoft Exchange -> CN=<ORG Name> -> CN=Administrative Groups -> CN= <Admin Group Name> -> CN=<Server Name> -> CN=InformationStore > CN=<Storage Group Name> - > Mailbox Store Name -> Properties -> Security Check Everyones permission if it has Send As and shows as a gray and you can not untick it then it is getting inherited from some upper level (storage group, server, admin group or at organization) and you need to remove it.
August 20th, 2008 6:50pm
Ok, I have checked there and it looks like Everyone does not have Send As permission. I've included a screenshot. The only boxes that are checked for Everyone are the ones that you see. (thanks for the help, by the way) ESM Screenshot
August 20th, 2008 7:37pm
Click in advance button of Security tab and check if any object has Allow Send As permissions.
August 20th, 2008 7:42pm
I have opened up Advanced and double clicked on all the "Everyone"'s in that list. None of them have Send As checked. I have included another screenshot of the Advanced list. Advanced List
August 20th, 2008 8:21pm
Hi, I would like to know whether your user account belongs to Domain Administrators group, Enterprise Administrator group. If I am right, I would like to explain that it is a behavior by design: You can refer to the following article: Exchange Server 2003 Deployment http://technet.microsoft.com/en-us/library/aa996080.aspx I have gathered the related information from the article: Why can domain administrators spoof mailbox-enabled user accounts in their domain? Active Directory includes a base set of permissions that can be applied against objects within the directory. In particular, Active Directory includes the Send As extended permission. By default, the Administrators group, the Domain Admins group, the Enterprise Admins group, and the Account Operators group have Send As permissions for all users. The Administrators group permissions and the Enterprise Admins group permissions are inherited from the domain level. The Account Operators group and the Domain Admins group receive explicit permissions that are based on the definition of the user object that is in the Active Directory schema. Please understand that Microsofts strong recommendation is that accounts with elevated permissions such as Domain Admin or Enterprise Admin accounts, should only be used for Administration purposes, and should not be used for daily activities such as email. These accounts should not even be mailbox enabled. Users who have Domain Admin permissions should have a separate account that is not an Administrative Account for normal daily activates. If a Domain Admin account or Enterprise Admin is NOT mailbox enabled, it cannot be used for Send As. Of course a Domain Admin or Enterprise Admin can always grant themselves whatever permissions they want. Mike
August 21st, 2008 9:28am
I thought for sure this would be it but I checked Domain and Enterprise Admins groups as well as Administrators and Account Operators and we only have 2 accounts in those groups, neither of which are mine. I only belong to 3 groups, All Staff, Domain Users and Help Desk. Those groups are definitely not part of Domain Admins, Enterprise Admins, Account Operators or Administrators. I will try creating a new user by copying a staff member's account and see if they can change the From field. Maybe I do have special permissions somewhere... Edit: I did as described above and I can still change the From field. It's definitely not just my account.
August 21st, 2008 7:56pm
Hi, 1. Whether the new user belongs to any groups except the Domain Users group? Whether all the old users in the domain are able to send as others? 2. Whether the user is able to send as anybody or only specific users. I would like to explain that we can also configure send as permission on specific users. 3. I also suggest that you create a new mailbox database and create user on the new database. Then, please check whether your account is able to send as the user on the new database. We can use the method to check whether it is a specific mailbox database issue. 4. Please also check whether the following hotfix has been installed: Send As permission behavior change in Exchange 2003 http://support.microsoft.com/kb/895949/en-us Mike
August 22nd, 2008 12:55pm
I am posting here because i dont know whereelse i can post my post. There's a problem with my msn email. I think t is a bug. I cant read or deleted email. I cant do anything besides logging in and out and receving email. I still wish to keep all my mails. If this goes on my mail would be full and it spell trouble. I hope someone can see this post and help me. ThankYou God bless
October 6th, 2008 2:08pm
Hi Kool-IP,I have exactly the same problem. Did you solve it?Please let me know.Help!!
February 20th, 2009 10:38pm
HI friendsI am Joseph from London. I am trying to find the answer of your question so can you send some detail of the the above question.Joseph
February 21st, 2009 4:45pm
Hi again, this is the detailed edition:I work on an ICT department and my colleagues and I agreed that we needed not only an email address called ICT but also a mailbox so that we can send emails as ICT if needed. I was the one in charge of doing such a task so I created a new user (Windows Server 2003) called ICT and its mailbox (Exchange 2003) so that we all can access the ICT mailbox and send as ICT as agreed. I managed to do it and it is working ok but, as I did not know exactly how to configure it, maybe I did something that I should not have done, maybe not. The thing is that yesterday we discovered that I can put not only myself and the new ICT user in the "From" field of emails, but anyone in the organization. It is not nice at all, because it was my boss the one who noticed it, by mistake I sent an email as himself to other colleagues, when I wanted to send it to him and cc those other colleagues. Now I feel I am under suspition.I have tried everything I know with no results, the only thing I have found out is something disconcerting: If I log on to any other computer it works ok, I mean I cannot send as other users, it only happens if I log on to my computer, but if I log on to a virtual PC installed on my computer it also happens, I also can send as anyone in the GAL.Please help.Many thanks in advance.
February 21st, 2009 8:47pm
Hi, Sorry to bump an old post, but I'm having the exact same problem and can't find a solution. All my users (or at least the random sample I tried) can send email as anyone in the GAL None of the users in question are part of any of the domain administrative groups Only permissions with send as are the default administrative ones. I even went as far as to explicitly deny the send as permission for one user on other peoples mailboxes, and they could STILL send emails as those other users. As I understand it this should have trumped any other permissions error, but it still ignored it! SBS2003 Exchange SP2
November 25th, 2009 8:11am