Preventing External Spoofed Spam From Authoritative Address Spaces or Domains

I’ve been receiving a very particular kind of spam lately - one where the sender was spoofed as myself.

My SPF records already would FAIL or SOFTFAIL (using ~all or -all, I tried both):

 Received-SPF: SoftFail ( domain of  transitioning discourages use of as permitted sender)

But the problem was, the sender was myself, and so I was on my own safe list. And safe lists override everything, setting the SCL to -1. So the email never went into my Junk mailbox.

 X-MS-Exchange-Organization-Antispam-Report: SenderOnRecipientSafeList
 X-MS-Exchange-Organization-SCL: -1
 X-MS-Exchange-Organization-SenderIdResult: SOFTFAIL

It seems that Exchange 2007 Edge (SP1, at least) servers seem to create Internet connectors, by default, with the “ms-Exch-SMTP-Accept-Authoritative-Domain-Sender” permission granted. The “ms-Exch-SMTP-Accept-Authoritative-Domain-Sender” right essentially says, “accept email from users that claim to be from domains that I am authoritative for,” as per

So I took the permission away from my internet Receive-Connector on my Edge server. (I named my Internet-facing Receive-Connector “InternetInbound” in this example, so to eliminate the need for quotation marks due to spacing)

>remove-ADPermission -Identity InternetInbound -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights ms-Exch-SMTP-Accept-Authoritative-Domain-Sender

 Are you sure you want to perform this action?
 Removing Active Directory permission "InternetInbound" for user "NTAUTHORITY\ANONYMOUS LOGON" with access rights "'ms-Exch-SMTP-Accept-Authoritative-Domain-Sender'".
 [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
 (default is "Y"):a

Result: When sending a MAIL FROM: field that contains an email address that the Edge box is authoritative for, emails are rejected. #< #5.7.1 smtp; 550 5.7.1 Anonymous client does not have permissions to send as this sender> #SMTP#

I suggest you enable protocol logging for the first few days to ensure everything is working smoothly:

>set-ReceiveConnector -Identity "EXETER\InternetInbound" -ProtocolLoggingLevel 1

You can add the permission back if you don’t like the result:

>add-ADPermission -Identity InternetInbound -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights ms-Exch-SMTP-Accept-Authoritative-Domain-Sender

You can also check the current “Extended” permissions applied to all Receive-Connector objects on a particular server: (formatted here to grab only the columns you’re interested in. You’re welcome.)

> Get-ReceiveConnector | Get-ADPermission | table identity,user,ExtendedRights -wrap