Client Area · 0114 299 4050
View Services

Stop Spoof Mail + Enable Sender ID Agent in Exchange

Stop Spoof Mail + Enable Sender ID Agent in Exchange
Spoof emails waste everyone's time and they can be dangerous too. Graham has written a technical guide on how to block these emails using Exchange.

 

Spoof emails are emails that claim to be from someone they are not. You might wonder why anyone would want to do that. But it can be a sneaky way of tricking someone out of money or private information. It is not unheard of for members of staff to receive emails from their "Managing Director" telling them to transfer large sums of money out of the business account. You can imagine how that story ends....

So, you want a method to combat sender spoofing? You've come to the right place. Sender Policy Framework (SPF) is tailored to combat email spoofing. SPF uses the following method to verify the envelope sender (RFC 5321) of a message matches against the IP of the sending server:

  • Email is sent and reaches the recipients mail server. 
  • The Recipients mail server performs a DNS lookup for a .TXT record attempting to identify an SPF record for the Senders mail domain.
  • If no record is available, no action is taken.  The message is delivered normally.
  • If a record is available the emails connecting IP will be matched against the SPF record to determine if the IP is an expected sender of emails from the sender mail domain.
  • If the IP matches the message will be delivered. 
  • If the IP fails the specified action in the recipients SPF record can be taken against the message.

 

Here's how to set it up...

Launch the Exchange management shell and run the following command to install all of the Anti Spam agents:
& $env:ExchangeInstallPath\Scripts\Install-AntiSpamAgents.ps1  

This will install all of the below agents:
Sender ID Agent
Content Filter Agent
Sender Filter Agent
Recipient Filter Agent
Protocol Analysis Agent

All we need from this particular guide is the Sender ID Agent, so we will disable the other agents:
Disable-TransportAgent –Identity "Content Filter Agent"
Disable-TransportAgent –Identity "Sender Filter Agent"
Disable-TransportAgent –Identity "Recipient Filter Agent"
Disable-TransportAgent –Identity "Protocol Analysis Agent"

Restart the Exchange transport service to enable the Agent:
Restart-Service MSExchangeTransport

Now we need to specify the internal SMTP server that should be ignored by the Sender ID Agent:
Set-TransportConfig -InternalSMTPServers @{Add="10.0.1.10","10.0.1.11"} 

Check that is setup by running the following command:
Get-TransportConfig | Format-List InternalSMTPServers 

The default setting for the Sender ID Agent is to StampStatus, to set this to reject we need to run the following command:
Set-SenderIDConfig -SpoofedDomainAction Reject 

Confirm that this is now set by running the following command:
Get-SenderIDConfig | Format-List *Enabled*,*Action,Bypassed*

Logging should be enabled by default, but you can check it using the following command:
Get-TransportService | Format-List AgentLog*

If there is an issue with the settings than you can change them using the following command:
Set-TransportService <ServerIdentity> -AgentLogEnabled <$true | $false> -
AgentLogMaxAge <dd.hh:mm:ss> -AgentLogMaxDirectorySize <Size> -
AgentLogMaxFileSize <Size> -AgentLogPath <LocalFilePath> 

Example;
Set-TransportService Mailbox01 -AgentLogPath "D:\Anti-Spam Agent Log" -AgentLogMaxFileSize 20MB -AgentLogMaxDirectorySize 400MB -AgentLogMaxAge 14.00:00:00 

NB. This can be used in Exchange 2013 / 2016

 

< Back to Blog

Popular Posts:

Comments

Please leave a comment



Allowed tags: <b><i><br>



emergency it response: 0114 299 4050 View PAYG Options