Stop Spoof Mail + Enable Sender ID Agent in Exchange


Spoof emails waste everyone’s time and they can be dangerous too. Graham has written a technical guide on how to block these emails using Exchange.

Spoof emails or spam emails are emails that claim to be from someone they are not. You might wonder why anyone would want to do that. But it can be a sneaky way of tricking someone out of money or private information. It is not unheard of for members of staff to receive emails from their "Managing Director" telling them to transfer large sums of money out of the business account. You can imagine how that story ends....

Find out how Office 365 ATP can block spam emails for you

So, you want a method to combat sender spoofing? You've come to the right place. Sender Policy Framework (SPF) is tailored to combat email spoofing. SPF uses the following method to verify the envelope sender (RFC 5321) of a message matches against the IP of the sending server:


Here's how to set it up...

Launch the Exchange management shell and run the following command to install all of the Anti Spam agents:
& $env:ExchangeInstallPathScriptsInstall-AntiSpamAgents.ps1  

This will install all of the below agents:
Sender ID Agent
Content Filter Agent
Sender Filter Agent
Recipient Filter Agent
Protocol Analysis Agent

All we need from this particular guide is the Sender ID Agent, so we will disable the other agents:
Disable-TransportAgent –Identity "Content Filter Agent"
Disable-TransportAgent –Identity "Sender Filter Agent"
Disable-TransportAgent –Identity "Recipient Filter Agent"
Disable-TransportAgent –Identity "Protocol Analysis Agent"

Restart the Exchange transport service to enable the Agent:
Restart-Service MSExchangeTransport

Now we need to specify the internal SMTP server that should be ignored by the Sender ID Agent:
Set-TransportConfig -InternalSMTPServers @{Add="",""} 

Check that is setup by running the following command:
Get-TransportConfig | Format-List InternalSMTPServers 

The default setting for the Sender ID Agent is to StampStatus, to set this to reject we need to run the following command:
Set-SenderIDConfig -SpoofedDomainAction Reject 

Confirm that this is now set by running the following command:
Get-SenderIDConfig | Format-List *Enabled*,*Action,Bypassed*

Logging should be enabled by default, but you can check it using the following command:
Get-TransportService | Format-List AgentLog*

If there is an issue with the settings than you can change them using the following command:
Set-TransportService <ServerIdentity> -AgentLogEnabled <$true | $false> -
AgentLogMaxAge <dd.hh:mm:ss> -AgentLogMaxDirectorySize <Size> -
AgentLogMaxFileSize <Size> -AgentLogPath <LocalFilePath> 

Set-TransportService Mailbox01 -AgentLogPath "D:Anti-Spam Agent Log" -AgentLogMaxFileSize 20MB -AgentLogMaxDirectorySize 400MB -AgentLogMaxAge 14.00:00:00 

NB. This can be used in Exchange 2013 / 2016

Microsoft has also just released a solution for Office 365 that will stop the majority of spoof and spam emails beofre they even reach the inbox. And, if something does manage to sneak through, the software "detonates" the link in a secure box so it can't infect your PC if it is nasty. Jude introduces Office 365 Advanced Threat Protection.

let's start the ball rolling

Fill in the form or use the contact details below and we’ll get our expert team to put together a package that’s personal to your business.
0114 299 4050