The Exchange Sender filter must block unaccepted domains.

From Microsoft Exchange 2016 Edge Transport Server Security Technical Implementation Guide

Part of SRG-APP-000261

Associated with: CCI-001308

SV-95261r1_rule The Exchange Sender filter must block unaccepted domains.

Vulnerability discussion

Spam origination sites and other sources of suspected email-borne malware have the ability to corrupt, compromise, or otherwise limit availability of email servers. Limiting exposure to unfiltered inbound messages can reduce the risk of spam and malware impacts. The Global Deny list blocks messages originating from specific sources. Most blacklist filtering is done using a commercial Block List service, because eliminating threats from known spammers prevents the messages being evaluated inside the enclave where there is more risk they can do harm. Additional sources should also be blocked to supplement the contents of the commercial Block List service. For example, during a zero-day threat action, entries can be added and then removed when the threat is mitigated. An additional best practice is to enter the enterprise’s home domains in the Deny List, because inbound email with a "from" address of the home domain is very likely to be spoofed spam.

Check content

Review the Email Domain Security Plan (EDSP). Determine the unaccepted domains that are to be blocked. Open the Exchange Management Shell and enter the following command: Get-SenderFilterConfig | Select Name, BlockedDomains, BlockedDomainsAndSubdomains If the value for "BlockedDomains" or "BlockedDomainsAndSubdomains" does not reflect the list of accepted domains, this is a finding.

Fix text

Update the EDSP to reflect the unaccepted domains that are to be blocked. Open the Exchange Management Shell and enter the following command: For BlockedDomains: Set-SenderFilterConfig -BlockedDomains Repeat the procedure for each domain that is to be blocked. or For BlockedDomainsAndSubdomains: Set-SenderFilterConfig -BlockedDomainsAndSubdomains Repeat the procedure for each domain and all of its subdomains that are to be blocked.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer