While on a business trip I received a frantic call from my daughter because Norton Antivirus kept popping up. She received an email from the postmaster at her college telling her that her email account was used to send spam and instructing her to run the attachment included with the message. The conversation began like this:
"You didn't run it, did you?"
"Yes, it was from the postmaster at JMU."
"No, it wasn't, it was a virus."
"MOM, It was from the postmaster."
Fortunately, Norton Antivirus didn't allow the virus to send any email and she had enough sense to turn the computer off and wait for me to return home.
Many of the recent viruses used administrative or generic addresses in the From field such as postmaster@, administrator@, no-reply@, or admin@ in an effort to convince users that the message was from their IT department. It comes as no surprise to me that it works, even after repeating over and over "Don't open unsolicited attachments", because users are worried that they could be sending viruses.
When I first heard about the new variant of MyDoom less than 12 hours before her call, I wondered why so many mail servers are allowing mail "from" internal addresses such as postmaster or administrator in from the Internet. When these addresses can't be used to send email in, users can't be tricked into believing it's from their administrators. These addresses should only be used to send email within the network or out to the Internet, not send email in from outside.
It's easy to blacklist mail from these addresses using Exchange Server, either for the entire domain or just specific addresses. While some administrators will argue that no one in their domain needs to send email in through the gateway SMTP, users have legitimate reasons to send mail using their domain address from an outside SMTP server, but there is little reason for postmaster, webmaster, sales, administrator, or many other generic aliases to send mail into the network from the Internet.
To block addresses from sending inbound mail, configure these settings in Exchange 2000/2003:
- Open the Exchange System Manager and Expand Global Settings.
- Right click on Message delivery and choose Properties.
- Add the addresses you don't want to accept mail from to the Sender Filtering list.
While I haven't discovered the limit for Exchange 2003, Exchange 2000 holds approximately 800 addresses and you can use wildcards in the entries. If you want to block all inbound mail that is sent "from" addresses using your domain name, add *@*smtp_domain_name.com to the filter, otherwise, just add individual addresses.
When you are finished entering addresses, you need to enable filtering on each SMTP virtual server that accepts email from the Internet.
- To do this, expand the Servers node, then find protocols and expand SMTP.
- Right click on the SMTP server instance and click on the Advanced button on the General tab. Select the IP address and choose Edit.
- Enable the filters you want to use on the virtual server and close the dialog.