Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The Exchange E-mail Services environment is not protected by an Edge Transport Server (E-Mail Secure Gateway) performing Non-existent recipient filtering at the perimeter.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-18672 | EMG2-031 Exch2K3 | SV-20288r1_rule | ECSC-1 | Medium |
| Description |
|---|
| SPAM originators, in an effort to refine mailing lists, sometimes use a technique where they first create fictitious names, then monitor rejected E-mails for non-existent recipients. Those not rejected, of course, are deemed to exist, and are therefore used in future SPAM mailings. To prevent this disclosure of existing E-Mail accounts to SPAMmers, this feature should not be employed. Instead, it is recommended that all messages be received, then evaluated and disposed of without enabling the sender to determine recipients that are existing vs. non-existing. |
| STIG | Date |
|---|---|
| Microsoft Exchange Server 2003 | 2014-08-19 |
Details
| Check Text ( C-22391r1_chk ) |
|---|
| Interview the E-mail Administrator or the IAO. Request documentation that indicates Nonexistent Recipient filters are in place and set to allow messages, on an Edge Transport Server role (E-mail Secure Gateway)at the network perimeter. Criteria: If non-existent recipients' messages are received for evaluation, this is not a finding |
| Fix Text (F-19319r1_fix) |
|---|
| Implement perimeter-based protection in the form of an Edge Transport Server role (E-mail Secure Gateway) filtering mechanism that performs, among other protections, Non-Existent Recipient filtering that does not alert senders to non-existent recipients. |