Exchange nonexistent recipients must not be blocked.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-221236	EX16-ED-000370	SV-221236r961161_rule		Medium

Description

Spam originators, in an effort to refine mailing lists, sometimes use a technique where they first create fictitious names and then monitor rejected emails for non-existent recipients. Those not rejected are deemed to exist and are used in future spam mailings. To prevent this disclosure of existing email accounts to spammers, email to nonexistent recipients must not be blocked. Instead, it is recommended that all messages be received, then evaluated and disposed of without enabling the sender to determine existent vs. nonexistent recipients.

STIG	Date
Microsoft Exchange 2016 Edge Transport Server Security Technical Implementation Guide	2024-12-06

Details

Check Text (C-22951r411834_chk)

Note: If third-party anti-spam product is being used, the anti-spam product must be configured to meet the requirement.

Open the Exchange Management Shell and enter the following command:

Get-RecipientFilterConfig | Select Name, RecipientValidationEnabled

If the value of "RecipientValidationEnabled" is not set to "False", this is a finding.

Fix Text (F-22940r411835_fix)

Open the Exchange Management Shell and enter the following command:

Set-RecipientFilterConfig -RecipientValidationEnabled $false