i have several users complaining about receiving all sorts of spam email that shows as coming from their email address. i have read other posts on this site and on the internet stating to remove the anonymous logon permission from the accepted domain. my question is i have 3 receive connectors and i wanted a clarification about which one(s) i should run this cmdlet on: Get-ReceiveConnector "My Internet ReceiveConnector" | Get-ADPermission -user "NT AUTHORITY\Anonymous Logon" | where {$_.ExtendedRights -like "ms-exch-smtp-accept-authoritative-domain-sender"} | Remove-ADPermission 1 connector is the default server1 receive connector 1 connector is the client server1 receive connector 1 connector is called allow relay which we created to allow only a small list of specified ip addresses on the internal network, specifically for network devices/servers to send messages, logs, alerts, etc. we have 2 exchange 07 servers, but one of them is used as an SCR target only, for DR purposes. i have 5 DC's 2 are located on the same network as the exchange server, the other 3 are located in my outer offices on different networks. the default server1 connector has the following permission group settings checked in the EMC: anonymous users exchange users exchange servers legacy exchange servers the allow relay has the following permission group settings checked in the EMC: anonymous users the client server1 connector has the following permission group settings checked in the EMC: no options are checked. im assuming i need to run the cmdlet listed above on the default receive connector like this: Get-ReceiveConnector "Default Server1" | Get-ADPermission -user "NT AUTHORITY\Anonymous Logon" | where {$_.ExtendedRights -like "ms-exch-smtp-accept-authoritative-domain-sender"} | Remove-ADPermission can someone confirm if this is correct? or do i need to run this on both my "Default Server1" and "Allow Relay" receive connectors?

Yes, it should be only Default Server1. Allow Relay connector receives email from trusted and internal sources so it doesn't require to removems-exch-smtp-accept-authoritative-domain-sender permission. Exchange 2007 Transport Permissions Model http://technet.microsoft.com/en-us/library/aa997170.aspxAmit Tank | MVP - Exchange | MCITP:EMA MCSA:M | http://ExchangeShare.WordPress.com

if i wanted to add that permission back for any reason would all i need to do is change the word from remove-ADPermission at the end of the cmdlet to Add-ADPermission? see below: remove: Get-ReceiveConnector "Default Server1" | Get-ADPermission -user "NT AUTHORITY\Anonymous Logon" | where {$_.ExtendedRights -like "ms-exch-smtp-accept-authoritative-domain-sender"} | Remove-ADPermission add: Get-ReceiveConnector "Default Server1" | Get-ADPermission -user "NT AUTHORITY\Anonymous Logon" | where {$_.ExtendedRights -like "ms-exch-smtp-accept-authoritative-domain-sender"} | Add-ADPermission i dont use paypal or expedia, but do certain websites like expedia or paypal still send users emails as if they were coming from their own email address still, or have they corrected that problem? the reason i ask is because i was reading about running this cmdlet and how certain websites like expedia and paypal still send out emails that show they are coming from yourself. we have a lot of people traveling in my office and im sure some people use expedia when booking their travel plans, plus unfortunately alot of people use their work email accounts for personal stuff like booking travel so i am trying to predict whether running this cmdlet will cause me months of people complaining cause they cant get there expedia or paypal confirmation emails or any other sites that send emails showing they are coming from their email address.

In that case you can add similar rights back with below cmdlet or with ADSIEdit.msc in GUI mode. Get-ReceiveConnector "Default Server1" | Add-ADPermission -AccessRight ExtendedRight -ExtendedRights ms-exch-smtp-accept-authoritative-domain-sender -user NT AUTHORITY\Anonymous LogonAmit Tank | MVP - Exchange | MCITP:EMA MCSA:M | http://ExchangeShare.WordPress.com