UCF STIG Viewer Logo

The Exchange E-mail Services environment is not protected by an Edge Transport Server (E-Mail Secure Gateway) performing Non-existent recipient filtering at the perimeter.


Overview

Finding ID Version Rule ID IA Controls Severity
V-18672 EMG2-031 Exch2K3 SV-20288r1_rule ECSC-1 Medium
Description
SPAM originators, in an effort to refine mailing lists, sometimes use a technique where they first create fictitious names, then monitor rejected E-mails for non-existent recipients. Those not rejected, of course, are deemed to exist, and are therefore used in future SPAM mailings. To prevent this disclosure of existing E-Mail accounts to SPAMmers, this feature should not be employed. Instead, it is recommended that all messages be received, then evaluated and disposed of without enabling the sender to determine recipients that are existing vs. non-existing.
STIG Date
Microsoft Exchange Server 2003 2014-08-19

Details

Check Text ( C-22391r1_chk )
Interview the E-mail Administrator or the IAO. Request documentation that indicates Nonexistent Recipient filters are in place and set to allow messages, on an Edge Transport Server role (E-mail Secure Gateway)at the network perimeter.

Criteria: If non-existent recipients' messages are received for evaluation, this is not a finding
Fix Text (F-19319r1_fix)
Implement perimeter-based protection in the form of an Edge Transport Server role (E-mail Secure Gateway) filtering mechanism that performs, among other protections, Non-Existent Recipient filtering that does not alert senders to non-existent recipients.