Sometimes on a professionnal mailbox, you can receive SPAM from your own domain and maybe even from your own email address. If you are in this case, the first thing to do is to analyze the email header in order to see from which SMTP server the email is coming :
- Either the SMTP server is really your internal SMTP, which means that one of your LAN machine is probably infected, or your SMTP server is an open relay
- Either you will see that the email is routed by an external SMTP server, spoofing your own address, before being delivered to you. That's a good thing, in this case, you will be able to stop it.
Anyone with sufficient knowledge can send an email with any address in the "From" field. It's like that since the beginning of the emails and it's related to the way emails actually work, so don't worry, it's a well known trick, and there are a lot of stuff you can do to protect you.
This method is used a lot by spammers, because it allows them to pass through spam filters easily as the email is detected as being from your organization, and then approved.
In addition to that, it can be a real threat for your company because anyone can be able to send emails, pretending to be part of your organization.
To prevent it, here are the 2 major things you can do:
- Use signed emails, which allows you to be sure that the email is really coming from the person it should be. This method is a little bit complex to setup (at least more complex than the next one)
- Use SPF
SPF : Sender Policy Framework
SPF allows you, using a DNS record on your domain, to allow only some defined servers to send emails for your domain.
Once the DNS record created, you will be able to configure your Exchange server (or whatever you use) to block incoming emails with a bad SPF check.
Add the DNS record on your domain
The DNS record can be created in your DNS zone file, either with a TXT record or a SPF record. This Microsoft website will guide you to create your own SPF based on your needs, then you will just have to add it on your domain. In my case, my SPF will be:
@ 1800 IN TXT "v=spf1 a mx ip4:18.104.22.168/16 ip4:22.214.171.124/16 ip4:126.96.36.199/16 -all"
- a means that every A @ record on your domain will be able to send emails
- mx means that every MX @ record on your domain will be able to send emails
- ip4 is used to add some IP addresses or ranges allowed. In my case, 3 ranges where I have several servers
- -all means that every other server attempting to send emails for your domain will fail the SPF check.
At this moment, once the DNS will be propagated properly, if an email is sent from a server which is not allowed in your SPF record, you will see the following in the email header: "Received-SPF : Fail"
Configure Exchange 2007 to reject all emails with a failed SPF check
In your Exchange management console, go to "Organization configuration", "Transport Hub", "Anti-Spam" tab.
Enable the line "Sender ID" then right-click on it, go to Properties, then "Action". In this tab, you can configure how your Exchange server will deal with emails with a bad SPF check, in my case, I just reject them.
Rejected emails are rejected with this error code: "550 5.7.1 Sender ID (PRA) Not Permitted".
You should now be protected against this type of SPAM.