How can I mitigate spoofed emails entering my network?

Question

My company is receiving a lot of spoofed emails. For example. user@mycompany.com receives emails from user@mycompany.com containing malware or a bad links.

My domain mycompany.com has a SPF record setup (which I know is valid). We are running Microsoft Exchange 2013 therfore, I am under the impression that as long as I have SenderID -SpoofedDomainAction set to "Reject", all mail should flow perfectly however, any incomming mail which has a fake from address should be immediately rejected.

I enabled this setting by typing the following into powershell:

Set-SenderIDConfig -SpoofedDomainAction Reject

Following this, I typed

Get-SenderIDConfig

the results are below:

+========================+=========================================================================================+
| RunspaceId             | 84d80932-a4e4-470e-a71d-35e88c0d3073                                                    |
+========================+=========================================================================================+
| SpoofedDomainAction    | Reject                                                                                  |
+------------------------+-----------------------------------------------------------------------------------------+
| TempErrorAction        | StampStatus                                                                             |
+------------------------+-----------------------------------------------------------------------------------------+
| BypassedRecipients     | {}                                                                                      |
+------------------------+-----------------------------------------------------------------------------------------+
| BypassedSenderDomains  | {}                                                                                      |
+------------------------+-----------------------------------------------------------------------------------------+
| Name                   | SenderIdConfig                                                                          |
+------------------------+-----------------------------------------------------------------------------------------+
| Enabled                | True                                                                                    |
+------------------------+-----------------------------------------------------------------------------------------+
| ExternalMailEnabled    | True                                                                                    |
+------------------------+-----------------------------------------------------------------------------------------+
| InternalMailEnabled    | False                                                                                   |
+------------------------+-----------------------------------------------------------------------------------------+
| AdminDisplayName       |                                                                                         |
+------------------------+-----------------------------------------------------------------------------------------+
| ExchangeVersion        | 0.1 (8.0.535.0)                                                                         |
+------------------------+-----------------------------------------------------------------------------------------+
| DistinguishedName      | CN=SenderIdConfig,CN=Message Hygiene,CN=Transport Settings,CN=mydomain                  |
+------------------------+-----------------------------------------------------------------------------------------+
|                        | Contracting,CN=Microsoft                                                                |
+------------------------+-----------------------------------------------------------------------------------------+
|                        | Exchange,CN=Services,CN=Configuration,DC=internal,DC=mccoskers,DC=com,DC=au             |
+------------------------+-----------------------------------------------------------------------------------------+
| Identity               | SenderIdConfig                                                                          |
+------------------------+-----------------------------------------------------------------------------------------+
| Guid                   | 6e0ea226-f298-4b33-8d15-f8981f3f65ac                                                    |
+------------------------+-----------------------------------------------------------------------------------------+
| ObjectCategory         | internal.mydomain.com/Configuration/Schema/ms-Exch-Message-Hygiene-Sender-ID-Config     |
+------------------------+-----------------------------------------------------------------------------------------+
| ObjectClass            | {top, msExchAgent, msExchMessageHygieneSenderIDConfig}                                  |
+------------------------+-----------------------------------------------------------------------------------------+
| WhenChanged            | 16/12/2015 3:42:45 PM                                                                   |
+------------------------+-----------------------------------------------------------------------------------------+
| WhenCreated            | 19/03/2013 12:37:15 PM                                                                  |
+------------------------+-----------------------------------------------------------------------------------------+
| WhenChangedUTC         | 16/12/2015 5:42:45 AM                                                                   |
+------------------------+-----------------------------------------------------------------------------------------+
| WhenCreatedUTC         | 19/03/2013 2:37:15 AM                                                                   |
+------------------------+-----------------------------------------------------------------------------------------+
| OrganizationId         |                                                                                         |
+------------------------+-----------------------------------------------------------------------------------------+
| Id                     | SenderIdConfig                                                                          |
+------------------------+-----------------------------------------------------------------------------------------+
| OriginatingServer      | MCC-FS2.internal.mydomain.com                                                           |
+------------------------+-----------------------------------------------------------------------------------------+
| IsValid                | True                                                                                    |
+------------------------+-----------------------------------------------------------------------------------------+
| ObjectState            | Unchanged                                                                               |
+========================+=========================================================================================+

After restarting the Transport service, I went to http://www.anonymailer.net/ and sent a spoofed email however, it was not rejected and it arrived in my inbox within a few minutes.

Is there anything else that I need to do to get this working?

Answer 1

Have you actually attempted to do an SPF lookup from the Exchange server for your own domain? In certain configurations - where the external domain is also the name of your internal Windows domain - you need to add SPF records to your internal DNS zone, so Exchange can actually see it.

Although I would probably recommend that you deploy a third party tool to do the filtering, as the built in filter is very weak without an Edge server. For the cost of an additional Exchange and Windows licence you can get a third party tool with a lot more functionality and reporting.

Simon.