Manage Learn to apply best practices and optimize your operations.

How to protect an Exchange journaling mailbox from email spoofing

In pure Exchange Server 2007 environments, traffic that flows between the hub transport servers and the mailbox servers is encrypted. This makes man-in-the-middle attacks unlikely against an Exchange journaling system, but not impossible. Get the steps to protect your Exchange Server journaling mailbox from malicious attacks to secure your email archiving solution.

In pure Exchange Server 2007 environments, traffic flowing between hub transport servers and mailbox servers is encrypted. This makes a man-in-the-middle attack unlikely against an Exchange journaling system. However, even though this traffic is encrypted, the journaling process isn't entirely secure. Learn the steps to secure your Exchange journaling mailbox from malicious attacks.

An Exchange journaling system isn't completely secure because it's very easy to spoof an email message. When you send an email message, Microsoft Outlook combines the sender, subject line, body, etc., with various SMTP commands and then sends the message. In fact, you can use the same commands to manually send a message from the command line or from a script without using Microsoft Outlook.

Being able to compose an email message outside of Microsoft Outlook lets you specify the sender, rather than having Outlook do it. Exchange must authenticate the message, but you can set your display name to anything you want. This can create the illusion that a message was sent by someone else. Spammers use a similar technique all the time.

Being able to spoof an email message is only half the battle. A hacker must also know the email address of the mailbox that's being used as the journal repository. With these two factors in place, it's fairly easy for a hacker to sneak a spoofed message into the journaling mailbox.

Some defenses are available for those techniques.

Protecting Exchange email archives from spoofing attacks

The key to defending your archives against these types of attack is to understand that there's a difference between the sender and the display name. The display name is the name the recipient sees; it has no value in authenticating the user. The user's true identity is connected to the account's graphical user ID (GUID). Therefore, if an authenticated user sends a spoofed message to a recipient mailbox in the same Exchange Server organization, the spoofed display name might fool the recipient. But Exchange knows who actually sent the message because of how the sender was authenticated.

This is important because journaling always sends messages to the designated recipient mailbox in a consistent manner regardless of who sent or received the message being journaled. For example, suppose that User1 sends a message to User2, and Exchange is set up to journal a copy of the message to a mailbox called Journal.

More on Exchange journaling and email archiving:
Exchange Server 2007 journaling tutorial

Email archiving and retention with Exchange 2007 managed folders

In this situation, User1 or User2 won't send the message to the Journal mailbox; it will send it to Exchange. Next, the Exchange server sends the message as "Microsoft Exchange" on behalf of the message's original sender.

If we know that all email messages sent to the journaling mailbox are supposed to be from Microsoft Exchange, we can take steps to prevent anyone else from sending messages to this mailbox. Not publishing the mailbox in the directory is one way to do this. A further step would be to ensure that only the Exchange server can place items into the journaling mailbox. To do this:

  1. Open the Exchange Management console and navigate to Recipient Configuration -> Mailbox.
  2. Right click on the journaling mailbox and choose Properties from the menu. This causes the console to display the mailbox's properties sheet.
  3. Go to the properties sheet's Mail Flow Settings tab and select the Message Delivery Restrictions option. Then click the Properties button to display the Message Delivery Restrictions dialog box.

You can require that all senders to the mailbox are authenticated, and you can choose to only accept specific senders (see Figure 1). For a journaling mailbox, accept only messages from Microsoft Exchange.

Exchange server message delivery restrictions for the journaling mailbox
Figure 1. You can allow only the Exchange server to send messages to the journaling mailbox.

About the author: Brien M. Posey, MCSE, is a five-time recipient of Microsoft's Most Valuable Professional award for his work with Exchange Server, Windows Server, Internet Information Services (IIS), and File Systems and Storage. He has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal website at

Do you have comments on this tip? Let us know.

Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for

Dig Deeper on Exchange Server setup and troubleshooting