Among all the tasks of Exchange administrators, one of the most important and challenging ones is ensuring email security. Since Exchange Server handles thousands of emails every day, it is not easy to manage and monitor such a large chunk of messages on a regular basis. This is why hackers often exploit email vulnerabilities to steal confidential information such as trade secrets or launch a cyberattack. One of the tricks they use is email spoofing, wherein they impersonate someone else to trick the user into sharing sensitive information. In this article, we take a closer look at email spoofing and discuss ways to prevent internal email spoofing in an Exchange environment.
Email spoofing is one of the common forms of email attacks, in which the sender manipulates email headers to deceive the email recipient regarding the identity of the sender. Sender of the spoofing email generally impersonates the employee, client, or vendor of an organization to extract sensitive information, such as employees’ personal data, company’s internal reports, etc.
Internal email spoofing is when the employee of an organization poses as someone else in an email to acquire sensitive documents, accounting records, etc. For instance, an employee can send an email to another employee impersonating as a senior executive and convince them to provide access to classified files and documents.
Here are the methods that you can implement to prevent internal email spoofing.
Sender Policy Framework (SPF) is an email authentication method, which is highly effective against spoofing. An SPF record is a DNS record (database record used to map a human-friendly URL to an IP address), which is added to the DNS zone file of your domain. In this record, you can mention all the IP addresses and/or hostnames that are authorized to send emails on your behalf.
SPF is generally used against external spoofing attacks where senders impersonate trusted entities. However, it can be used to prevent internal email spoofing too. There is one challenge in using SPF records though – to achieve complete protection, you have to include all IP addresses that are allowed to send emails on your network. These may include your company’s servers, printers, custom web applications, third-party applications, etc. So, this can be a cumbersome task if your company’s network is large and complex.
Steps to Set up SPF Record
To use SPF in your organization, you need to set up three things – SPF record in local DNS, antispam function in Exchange Server, and a Sender ID agent. Follow these steps:
Step 1: Create SPF Record
Create the txt record on your DNS server in the local domain. It may look something like this:
v=spf1 ip4: 192.168.25.3 ip4: 192.168.133.55 -all
Step 2: Install Exchange Antispam Agent
Install the Exchange Antispam Agent by using the PowerShell cmdlet given below:
& $env:ExchangeInstallPath\Scripts\Install-AntiSpanAgents.ps1
If the script runs without errors and asks you to restart your MSExchangeTransport service, it means the step is successful. You can apply the changes by restarting the services by using the following PowerShell command:
Restart-Service MSExchangeTransport
Step 3: Provide IP Address of Exchange Server
Provide the IP address of your Exchange Server by running the following PowerShell command:
Set-TransportConfig -InternalSMTPServers 192.168.25.3
Step 4: Establish Email Rejection Rule
Create a rule that rejects all emails from addresses that don’t exist in your SPF record by executing the following command:
Set -SenderIdConfig -SpoofedDomainAction Reject
Exchange servers use Receive connectors to control incoming SMTP communication from external messaging servers (those out of organization’s purview), services in the local or remote Exchange servers, and email clients that use SMTP. These connectors are automatically created when Exchange Mailbox Server is set up.
In default configuration, an Exchange Server is set to receive emails from anonymous users. This vulnerability allows a malicious employee to exploit the system. Unfortunately, you cannot block emails from anonymous users completely as then you will not be able to receive important emails from external email addresses. Therefore, what you can do is create another receive connector that uses domain credentials (login ID and password of users and applications) rather than IP addresses to authorize email senders. Although, this means you have to create a domain account for every device and application (web-based printer, for instance) that has to send emails to Exchange.
An Exchange Server has a Receive connector on TCP port 25 which accepts external connections, i.e. anonymous emails from SMTP servers. However, you can create another connector for internal SMTP connections on the same port. The server has the ability to select the appropriate connector for each connection on its own.
To create a new Receive connector, run the following PowerShell command:
New-ReceiveConnector –Name “Internal Client SMTP” –TransportRole FrontendTransport –Usage Custom –Bindings 0.0.0.0:25 –RemoteIPRanges 192.168.25.0/24 –AuthMechanism TLS,Integrated –PermissionGroups ExchangeUsers
Once the new Receive connector is created, you can try sending a spoofed email. Since now you have a security mechanism in place, you will receive an error code and the email will not be delivered.
As an Exchange administrator, it is your responsibility to maintain email security and prevent email spoofing at all costs. The techniques mentioned in this post, combined with measures like frequent training sessions on IT security, can help prevent email spoofing to a great extent.
Abhinav Sethi is a Senior Writer at Stellar. He writes articles, blog posts, knowledge-bases, case studies, etc. for different technologies. He also has a keen interest in digital forensics and helps forward-thinking companies fight different threats with apt solutions.
