Mail spoofing is often used to persuade users to open dangerous attachments in emails. The aim is to make it look as if the e-mail is coming from a colleague or a device such as a scanner or Fax2Mail. Mail spoofing is used to falsify the sender's address so that it looks to the user as if the email came from an internal sender.
Here is an example:
It looks as if scanner@frankysweb.de has sent an e-mail to frank@frankysweb.de. The attachment appears to be a PDF document.
At this point, the user does not recognize that the mail is not coming from an internal printer/scanner and that a colleague has perhaps only sent him a document. The attachment, in this case the PDF, is usually an infected document that contains or downloads the virus/Trojan.
If the user receives such an e-mail, the upstream security mechanisms have already failed. Only the e-mail header shows that the e-mail was sent to the user via a mail server from the Internet:
As shown above, this is only a simulation. However, if you configure the Exchange Server directly to receive mails from the Internet, i.e. MX-Record points to the public IP and a router forwards port 25 unfiltered to the Exchange Server, you should check whether the configuration enables mail spoofing:
Is the mail arriving? If yes, then fix it!
Die Einstellung findet sich dazu auf den Exchange Empfangsconnectoren. in der Standardeinstellung ermöglicht es Exchange Anonymen Benutzern Mails an die authorativen E-Mails Domains zu senden, wenn auf dem Empfangsconnector die Berechtigungsgruppe „Anonyme Benutzer“ aktiviert werden:
It is controlled via a corresponding authorization in the Active Directory:
Get-ReceiveConnector | Get-ADPermission -user "NT-Autorität\Anonymous-Anmeldung" | where {$_.ExtendedRights -like "ms-exch-smtp-accept-authoritative-domain-sender"}
If the receive connector is listed here, which also accepts mails from the Internet, as is the case here, the right can be removed using the Exchange Management Shell. On a German-language server, the command is as follows:
Get-ReceiveConnector "Name des Empfangsconnectors aus Richtung Internet" | Get-ADPermission -user "NT-Autorität\Anonymous-Anmeldung" | where {$_.ExtendedRights -like "ms-exch-smtp-accept-authoritative-domain-sender"} | Remove-ADPermission
And on a server with an English operating system:
Get-ReceiveConnector "Name des Empfangsconnectors aus Richtung Internet" | Get-ADPermission -user "NT AUTHORITY\ANONYMOUS LOGON" | where {$_.ExtendedRights -like "ms-exch-smtp-accept-authoritative-domain-sender"} | Remove-ADPermission
Now you can test once again whether the problem has been resolved and mail spoofing is no longer possible.