Introduction
As many of you already know Sender ID is an e-mail industry initiative invented by Microsoft and a few other industry leaders. The purpose of Sender ID is to help counter spoofing, which is the number one deceptive practice used by spammers. Sender ID works by verifying every e-mail message indeed originates from the Internet domain from which it was sent. This is accomplished by checking the address of the server sending the mail against a registered list of servers that the domain owner has authorized to send e-mail.
In Figure 1 below I’ve tried to illustrate a very basic SPF scenario.
Figure 1: How SPF works
Sender ID can be implemented on an Internet facing Exchange server located directly in the perimeter network (aka DMZ, demilitarized zone or screened subnet), or behind another type of SMTP server such as Sendmail.
Configuring the Sender ID Filter
When Exchange 2003 SP2 has been applied, the Sender ID options can be found by taking Properties of the Message Delivery object under Global Settings in the Exchange System Manager console.
Figure 2: Properties of the Message Delivery object in ESM
Figure 3: IP addresses of the servers handling incoming SMTP mail in your organization
As you can see the content of the General tab has been changed a bit, we now have the option of specifying the IP addresses of any server in our perimeter network (aka DMZ, demilitarized zone or screened subnet), as well as the range of IP addresses within our organization. We’ll get back to the option under this tab later.
Let’s click the Sender ID Filtering tab (see Figure 4). This is where you specify how the server should handle messages that fail Sender ID validation.
Note
Before you enable Sender ID you should make sure that you have applied the hotfix mentioned in MS KB article: 905214 – Windows Server 2003 may stop responding when you enable Sender ID filtering on an SMTP virtual server in Exchange Server 2003 SP2. If you’re running Exchange Server 2003 with SP2 on a Windows 2000 based server it’s only possible to get the required hotfix if you have an extended support contract. If this is the case you should contact your Microsoft account representative for information about obtaining the hotfix for Windows 2000 Server.
Figure 4: Sender ID modes
As you can see in Figure 4 above Sender ID can work in 3 different modes, I have listed each of them with a short description in Table 1 below.
Table 1: Sender ID modes
Sender ID modes
Description
Accept (default)
This option should be used if you want the Sender ID filter to stamp the validation results to the message and be processed by further anti-spam processing, such as intelligent message filtering. Note that this is the default option.
Delete
This option should be used if you want the Sender ID filter to accept the mail and then delete it without sending the non-delivery report (NDR) to the user.
Reject
This option should be used if you want the Sender ID filter to reject the mail on the SMTP protocol level and issue an NDR message to the user. Specifically, the sending server is responsible for generating an NDR.
Bear in mind that even though you choose the Accept mode, the messages will be stamped with the Sender ID status (a message property) which will be passed to the next filter, typically the Intelligent Message Filter, which then will take the Sender ID result (contained in the message property) into account when triggering the appropriate Spam Confidence Level (SCL) score.
Note
Some of you may know the SCL score which the Intelligent Message Filter stamps on each message can be exposed in Outlook 2003 (for instructions see this post on the MS Exchange team blog). The cool thing is you can use a similar method when dealing with Sender ID results added to the messages, for instructions see this post, also on the MS Exchange team blog.
Enabling the Sender ID Filter
As is also the case with the other Exchange filtering features, you need to enable Sender ID filtering under the default SMTP virtual server, as can be seen in Figure 5 below. You only have to enable Sender ID filtering on any Exchange server accepting mail from the Internet, or on the first Exchange server located behind another type of Internet facing SMTP server such as SendMail or whatever is used in your particular organization.
Figure 5: Enabling the Sender ID filter
When you enable Apply Sender ID Filter you’ll receive the message shown in Figure 6, so if you haven’t already done so you should go set the appropriate option under the Sender ID filtering tab shown back in Figure 4.
Figure 6: Warning Message when enabling Sender ID Filter
If you enable Sender ID filtering on an Exchange server behind the perimeter network (aka DMZ, demilitarized zone or screened subnet), you should also make sure you specify the IP addresses of the servers in your internal network that you want to be excluded from Sender ID filtering. This is done by clicking the Add button under the General tab (Figure 3).
Sender ID Results
Sender ID can provide several different results; I’ve listed each of them as well as a short description and the action taken in Table 2 below.
Table 2: Sender ID Results
Sender ID Result
Description
Action taken
Neutral
Domain is neutral (makes no decision about IP address)
Stamp and Accept
Pass (+)
IP address permitted
Stamp and Accept
Fail (-)
– Domain doesn’t exist
– Sender isn’t permitted
– Malformed domain
– No PRA (Purported Responsible Address) in header
IP address not permitted
Stamp and Accept then either Delete or Reject
Soft Fail (~)
IP address not permitted
Stamp and Accept
None
No SPF record published for the domain
Stamp and Accept
TempError
Transient error (could be unreachable DNS server)
Stamp and Accept
Perm Error
Possible error in record, so couldn’t be read correctly
Stamp and Accept
Monitoring Sender ID Filtering
Sender ID also adds several performance counters to your Exchange 2003 server, these can be found under a Performance object named MSExchange Sender ID. I’ve listed each Sender ID performance counter in Table 3 below.
Table 3: Sender ID Performance Counters
Performance counter
Description
DNS Queries per Second
The number of DNS queries per second performed by Sender ID
Messages Missing Originating IP per Second
The number of messages per second for which the originating IP could not be determined
Messages Validated by Sender ID per Second
The number of messages validated by Sender ID per second
Message Validated per Second with a Fail – Malformed Domain Result
The number of messages validated per second with a result of Fail – Malformed Domain
Message Validated per Second with a Fail – Non-existent Domain Result
The number of messages validated per second with a result of Fail – Non-existent Domain
Message Validated per Second with a Fail Not – Permitted Result
The number of messages validated per second with a result of Fail – Not Permitted
Message Validated per Second with a Neutral Result
The number of messages validated per second with a result of Neutral
Message Validated per Second with a Pass Result
The number of messages validated per second with a result of None
Message Validated per Second with a PermError Result
The number of messages validated per second with a result of PermError
Message Validated per Second with a SoftFail Result
The number of messages validated per second with a result of SoftFail
Message Validated per Second with a TempError Result
The number of messages validated per second with a result of TempError
Messages with No PRA per Second
The number of messages per second that do not have a valid Purported Responsible Address
Total DNS Queries
The total number of DNS queries performed by Sender ID
There’s also a Performance counter for total messages in addition to messages per second, but as they are identical there’s no reason to list them as well. To get an understanding of what’s going on behind the hood it’s a very good idea to take a closer look at each of these performance counters.
Figure 7: Sender ID performance counter objects
Creating SPF records for you own domain(s)
As more and more organizations, with the release of Exchange 2003 SP2, will enable Sender ID filtering in their messaging environments, it would be wise to start think about creating SPF records for your own domain(s). To create your own SPF record(s) you can use this Sender ID Framework SPF Record Wizard which is shown in Figure 8 below.
Figure 8: Sender ID tool to create SPF records for your own domains
When the SPF record(s) have been created you just need to have it/them published on the DNS server hosting your domain. You can typically do this yourself by logging into the web-based admin page from where you administer your domains, or you can let your DNS provider to do it for you.
In order to check which IP addresses are allowed to send mail for a given domain you can use a wizard such as this one over at DNStuff.com, or open a command prompt and type nslookup –q=TXT domain.com. You should then be able to see the SPF record including the list of the IP addresses allowed to send e-mail messages for this domain.
Conclusion
Sender ID filtering in Exchange 2003 SP2 is a welcome addition in the fight against domain spoofing. Since the introduction of the Sender Policy Framework initiative many 3rd party antispam solutions have supported this feature, but not as many as we could have hoped for have created SPF records for their domains. Now that Sender ID filtering, with Exchange 2003 SP2, is a native feature in the Exchange product, let’s hope even more Exchange organizations around the world will take the time to enable Sender ID filtering in their environment and at least, just as important, create SPF records for their domains; otherwise the feature is more or less useless.
Related links
Sender ID Framework Overview: Verification System Aims to Reduce Spam and Increase Safety Online:
http://www.microsoft.com/mscorp/safety/technologies/senderid/overview.mspx
Sender ID Technology: Information for IT Professionals:
http://www.microsoft.com/mscorp/safety/technologies/senderid/technology.mspx
Sender ID Resources: Tools and Information About the Technology:
http://www.microsoft.com/mscorp/safety/technologies/senderid/resources.mspx
Sender ID Tool:
http://www.anti-spamtools.org/SenderIDEmailPolicyTool/Default.aspx
You Had Me At EHLO… : Sender ID:
http://blogs.technet.com/exchange/archive/2005/10/13/412487.aspx
TechNet Webcast: A Comprehensive Look at Anti-Spam Technologies in Exchange 2003 SP2 (Level 300)
http://msevents.microsoft.com/cui/WebCastEventDetails.aspx?EventID=1032282012&EventCategory=5&culture=en-US&CountryCode=US
