Spoof emails or spam emails are emails that claim to be from someone they are not. You might wonder why anyone would want to do that. But it can be a sneaky way of tricking someone out of money or private information. It is not unheard of for members of staff to receive emails from their "Managing Director" telling them to transfer large sums of money out of the business account. You can imagine how that story ends...
Train your staff in spotting these spam emails with KnowBe4 cyber security training.
Find out how Office 365 ATP can block spam emails for you
So, you want a method to combat sender spoofing? You've come to the right place. Sender Policy Framework (SPF) is tailored to combat email spoofing. SPF uses the following method to verify the envelope sender (RFC 5321) of a message matches against the IP of the sending server:
- Email is sent and reaches the recipients mail server.
- The Recipients mail server performs a DNS lookup for a .TXT record attempting to identify an SPF record for the Senders mail domain.
- If no record is available, no action is taken. The message is delivered normally.
- If a record is available the emails connecting IP will be matched against the SPF record to determine if the IP is an expected sender of emails from the sender mail domain.
- If the IP matches the message will be delivered.
- If the IP fails the specified action in the recipients SPF record can be taken against the message.
Here's how to set it up...
Launch the Exchange management shell and run the following command to install all of the Anti Spam agents:
& $env:ExchangeInstallPathScriptsInstall-AntiSpamAgents.ps1
This will install all of the below agents:
Sender ID Agent
Content Filter Agent
Sender Filter Agent
Recipient Filter Agent
Protocol Analysis Agent
All we need from this particular guide is the Sender ID Agent, so we will disable the other agents:
Disable-TransportAgent –Identity "Content Filter Agent"
Disable-TransportAgent –Identity "Sender Filter Agent"
Disable-TransportAgent –Identity "Recipient Filter Agent"
Disable-TransportAgent –Identity "Protocol Analysis Agent"
Restart the Exchange transport service to enable the Agent:
Restart-Service MSExchangeTransport
Now we need to specify the internal SMTP server that should be ignored by the Sender ID Agent:
Set-TransportConfig -InternalSMTPServers @{Add="10.0.1.10","10.0.1.11"}
Check that is setup by running the following command:
Get-TransportConfig | Format-List InternalSMTPServers
The default setting for the Sender ID Agent is to StampStatus, to set this to reject we need to run the following command:
Set-SenderIDConfig -SpoofedDomainAction Reject
Confirm that this is now set by running the following command:
Get-SenderIDConfig | Format-List *Enabled*,*Action,Bypassed*
Logging should be enabled by default, but you can check it using the following command:
Get-TransportService | Format-List AgentLog*
If there is an issue with the settings than you can change them using the following command:
Set-TransportService <ServerIdentity> -AgentLogEnabled <$true | $false> -
AgentLogMaxAge <dd.hh:mm:ss> -AgentLogMaxDirectorySize <Size> -
AgentLogMaxFileSize <Size> -AgentLogPath <LocalFilePath>
Example;
Set-TransportService Mailbox01 -AgentLogPath "D:Anti-Spam Agent Log" -AgentLogMaxFileSize 20MB -AgentLogMaxDirectorySize 400MB -AgentLogMaxAge 14.00:00:00
NB. This can be used in Exchange 2013 / 2016
Microsoft has also just released a solution for Office 365 that will stop the majority of spoof and spam emails beofre they even reach the inbox. And, if something does manage to sneak through, the software "detonates" the link in a secure box so it can't infect your PC if it is nasty. Jude introduces Office 365 Advanced Threat Protection.
