Sender ID


You may already know that Exchange 2003 SP2 includes a new feature for SenderID support.  SenderID (http://www.microsoft.com/senderid) is the e-mail authentication framework that targets one of the most common security issues in the world of SMTP message transfer, which is spoofing.   In short Sender ID allows administrators of an e-mail domain to protect the identity of this e-mail domain by registering the special DNS record, also called SPF record, that lists the hosts (IP addresses, names, etc) that are authorized to send e-mail from that domain.  For example the SPF record for @microsoft.com e-mail domain lists about 20 authorized hosts. You can pre-view the record by doing  nslookup –q=TXT Microsoft.com” and then “nslookup –q=TXT _spf.microsoft.com”.

 

So Exchange 2003 SP2 allows to query Internet DNS for SenderID/SPF records for the given domain mentioned as the sender domain in an e-mail message and then, depending on the result of that check, take appropriate actions on that message,.  The action could range from blocking the message at the protocol level (for example when SenderID check returns the “Failed” status) or passing the message to the next layer of filtering such as Intelligent Message Filter which takes the SenderID check result into account when making its anti-spam analysis decisions.

 

To give you the taste what SenderID check can accomplish let’s take a look at the following table of possible SenderID results that can be returned for a given message.

 

  • Stamp and Continue - means acknowledge message acceptance and use SenderID check result in further filtering (such as IMF anti-spam)
  • Reject – means respond with the 550 SMTP error code.   In this case the generation of the Non-Delivery Report (NDR) becomes the responsibility of the sending server.
  • Delete – means acknowledge message acceptance and then turf the message.

Sender ID check result

Description

Sender ID Actions in E2K3 SP2

Neutral (?)

Domain makes no assertion about the IP address

Stamp and Continue

 

Pass (+)

Client is authorized to send mail on behalf of the domain from a matching IP address

Stamp and Continue

 

Fail (-)

- Sender Domain Does not Exist

- Sender is not permitted

- Malformed domain

- No PRA found in the header

Client is explicitly NOT authorized to send mail on behalf of the domain from a matching IP address

Stamp and Continue

-or-

Reject

-or-

Delete

Soft Fail (~)

Client might not be authorized to send mail on behalf of the domain from a matching IP address

Stamp and Continue

 

None

No Sender ID records are published for this domain

Stamp and Continue

 

TempError

Receiving server encountered a transient error when performing the check

Stamp and Continue

 

PermError

The domain’s published records couldn’t be correctly interpreted

Stamp and Continue

 

 

Probably the most interesting is the “Fail” SenderID check result as it has the capability to prevent spoofed messages from ever entering your environment.  Note that “Fail” SenderID result is also generated for messages that have non existent domain as the sender!

 

Other SenderID check results are also helpful because they can show varying degree of trust that you have for messages entering your environment, depending if they come from an “authorized” or “prohibited” IP’s.

 

While all the above is interesting, some people (such as e-mail administrators) may want to see the SenderID result for messages sitting in their mailbox.  This can be used for troubleshooting or testing purposes or perhaps for building client side rules that take SenderID check into account.  It turns out with a few simple steps this becomes possible.  When the Exchange 2003 SP2 evaluates the SenderID status of the message, the result is added to the message as a mailmsg property and persists from Exchange Server to Exchange Server inside the X-EXCH50 blob.  When the message arrives to the mailbox server, Sender ID status is converted to a server side MAPI property. 

 

In the next steps we’ll try to visualize this MAPI property (0x40790003) in our Outlook 2003 client.  While there are multiple ways of doing it, let’s follow the approach that some of you may have used for visualizing the SCL value in Outlook. (http://blogs.technet.com/exchange/archive/2004/05/26/142607.aspx)

Copy the below text into a new text file as SenderID.CFG (in the same location as the .ICO files, usually Program Files\Microsoft Office\Office11\forms\language ID).

;**********The CFG file**********

[Description]

MessageClass=IPM.Note.SenderID

CLSID={00020D0C-0000-0000-C000-000000000046}

DisplayName=SenderID Extension Form

Category=Standard

Subcategory=Form

Comment=This forms allows the SenderID to be viewed in a column in Outlook

LargeIcon=IPML.ico

SmallIcon=IPMS.ico

Version=1.0

Locale=enu

Hidden=1

Owner=Microsoft Corporation

  

[Platforms]

Platform1=Win16

Platform2=NTx86

Platform9=Win95

 

[Platform.Win16]

CPU=ix86

OSVersion=Win3.1

  

[Platform.NTx86]

CPU=ix86

OSVersion=WinNT3.5

  

[Platform.Win95]

CPU=ix86

OSVersion=Win95

  

[Properties]

Property01=SenderID

  

[Property.SenderID]

Type=3

;NmidString=PR_SENDER_ID_STATUS

NmidInteger=0x4079

DisplayName=SenderID

  

[Verbs]

Verb1=1

  

[Verb.1]

DisplayName=&Open

Code=0

Flags=0

Attribs=2

  

[Extensions]

Extensions1=1

  

[Extension.1]

Type=30

NmidPropset={00020D0C-0000-0000-C000-000000000046}

NmidInteger=1

Value=1000000000000000

;**********END CFG

  1. Go into Tools | Options | Other | Advanced Options | Custom Forms | Manage Forms. Hit the Install button, and choose SenderID.CFG …install into your Personal Forms Library
  2. Hit OK several times to return to the main Outlook screen
  3. Right-click on the Column headings in your Inbox (other any other folder) and choose "Field Chooser"
  4. Pull-down the scroll-bar and choose "Forms…"
  5. Set focus to your Personal Forms, choose the SenderID Extension Form, then click Add
  6. Drag and drop the SenderID property into your column headings …and voila, you now should see the SenderID status for messages that come from the Internet through your Exchange 2003 SP2 gateway.

 

Now you are able to correlate the numeric status code to the SenderID result using the following table:

Sender_ID Result

Numeric Code

NEUTRAL

0x1

PASS

0x2

FAIL

0x3

SOFT_FAIL

0x4

NONE

0x5

TEMP_ERROR

0x80000006

PERM_ERROR

0x80000007

As the last step, for those of us who prefer labels instead of numbers, Outlook allows you to create custom fields based on the formula.  To do that, follow the following steps.

  1. Right-click on the Column headings in your folder where you enabled SenderID field and choose "Field Chooser"
  2. In the Field Chooser, click New.  Type SID as the field name, use Formula as the Type.  In the Formula field copy&paste the following (without the quotation marks)
    1. “IIf([SenderID]=1,"NEUTRAL",IIf([SenderID]=2,"PASS",IIf([SenderID]=3,"FAIL",IIf([SenderID]=4,"SFAIL",IIf([SenderID]=5,"NONE",IIf([SenderID]=-2147483641,"PERM_ERR",IIf([SenderID]=-2147483642,"TEMP_ERR",[SenderID])))))))”
  3. Click OK and Drag&Drop the newly created SID field into your column headings.  You can hide the original SenderID field now by dragging it out of the column headings.

 

Obviously the form makes sense to install if you have Exchange 2003 SP2 in your environment and have SenderID checks configured on your gateway.

 

- Konstantin Ryvkin


Comments (21)
  1. Chris says:

    Sounds good! When is sp2 going to be released???

  2. Jon Linde says:

    Excellent post – The author is clearly brilliant.

  3. Konstantin Ryvkin says:

    From what I’ve been hearing from the product group, SP2 is going to be released very soon. Stay tuned and visit http://www.microsoft.com/exchange

  4. Chris Williams says:

    You could expose the SCL property in the MIME header by editing a registry entry. This made it useful for handling post-IMF by systems that don’t work with MAPI properties.

    Is there some way to expose the SenderID result in the header as well?

  5. P Spain says:

    This is a great article.

    I have a problem however. After turning on Sender ID and following the instructions above there is nothing showing in the SID column. The SCL value is showing perfectly however.

    I’ve tried this on 3 servers from completely different companies (and domains).

    Any ideas?

  6. P Spain says:

    This is a great article.

    I have a problem however. After turning on Sender ID and following the instructions above there is nothing showing in the SID column. The SCL value is showing perfectly however.

    I’ve tried this on 3 servers from completely different companies (and domains).

    Any ideas?

  7. Lindemann says:

    I’m also having this issue. SCL is showing up, but the SID is not.

  8. Donaldson says:

    Same as the last 3 posters. I am not getting anything to show up in the column.

  9. Donaldson says:

    Just to update everyone, I installed the hotfix 905214 and I now am getting the SenderID values.

  10. Carlos says:

    Works on my workstation with no problem. Remember Sender ID must be enabled on the exchange server and a text record must be enabled thru your dns provider. I put text record with ultradns who handles my DNS

  11. Konstantin Ryvkin says:

    Carlos, thanks for the note about enabling SenderID. Yes, the above procedure simply visualizes the SenderID result that is stamped by the Exchange 2003 SP2 gateway.

    If you gateway is not enabled with SenderID checks yet – the output of the form will be blank.

    You can configure SenderID in the global settings and then enable it in the properties of SMTP Virtual Server.

    Also don’t forget SenderID specific counters that give the SenderID statistics in perfmon.

  12. Tim Gowen says:

    The problem I have is that I’d like to reject Soft Fails as well as Fails, and there doesn’t seem to be a way to do that with the Message Filter as it’s implemented here.

  13. RuneFlo says:

    hotfix 905214 applied. Still no Sender ID filtering, but I get the following event in the application log:

    Event Type: Error

    Event Source: MSExchangeTransport

    Event Category: SMTP Protocol

    Event ID: 7518

    Date: 10.11.2005

    Time: 09:23:44

    User: N/A

    Computer: GOGO

    Description:

    Sender Id must be configured with a list of trusted mail servers before it can be enabled.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    ————-

    What is this "list of trusted mail servers"?

    Where should they be entered?

    BTW. Single Exchange server, no GW. domain (iku.sintef.no)

  14. Omar says:

    I have Win2k server, with Exch2003sp2, and my sender id is blank also. Can’t run the hot fix because its only for w2k3.

  15. Konstantin Ryvkin says:

    Rune,

    Sender ID uses RFC2822 Received header parsing to get to the IP address of the server that submitted mail to the organization. This allows SenderID to be enforced at the server that is not the outermost SMTP stack facing the Internet.

    To parse the Received headers adequately you can only do it within the realm of your "trusted network" (designated IP range). You can configure it at the Global Settings–>Message Delivery (Properties)–>General Tab–>perimeterIPList Add.

    In your single server environment you still need to configure this trusted list – it will just include the IPs of your server itself.

    THT

    Kostya

  16. Param says:

    Now that I have SP2, I have a few questions:-

    1. How do I create the SPF DNS records for my domains? I have an exchange sp2 server that hosts email for about 15 domains. DNS is controlled at register.com. Any ideas? I dont think register.com’s control panel specifically has any settings for SPF.

    2. I also have a remote network at my datacenter that has an smtp server that sends out email (outbound only). Can I add that to any type of safe list?

    3. What happens if a recipient’s email server does not support sender-id? Will my email fail?

    Thanks a bunch!

  17. Exchange says:

    Param,

    To create SPF records, you can use a wizard such as this one:

    http://www.anti-spamtools.org/SenderIDEmailPolicyTool/Default.aspx

    I am not 100% sure I understand your question #2; but I think you’d be better off asking that one in our Newsgroups.

    On question #3 – no, your email will go through, as the destination server will not even check.

  18. BigFunkyChief says:

    I’m wondering if anyone has run any tests to find out how many legimit domains actually use an SPF record. I would like to set my SenderID filtering to delete, but I’m worried that there are many legit domains that are not using this technology, and we’d drop alot.

    I’m going to test it over the next few weeks, but wanted to see if anyone had any feedback on this.

  19. Andy says:

    Hello, I’m thinking on Sender ID in infrastructure based on:

    Msg. Screener ->Exchange Front-end -> Exchange back-end cluster

    It uses split brain DNS. Public and private. All LAN servers (also Exchange) use private DNS with forwarding option.

    I can publish also public TXT records in my private DNS, and it can work I think

    My own domain’s TXT records are enough in private DNS.

    The problem is Message Screener:-(

    In such scenario I cannot use blacklists of SMTP servers on Exchange front-end, because all mails come from Msg. Screener server (private address). They have common, private IP address of sending SMTP server.

    Is it possible to use Sender ID in above configuration?

    Do I remove Message Screener and simply publish Exchange to work with Sender ID?

    Thanks.

  20. Anonymous says:

    Liens utiles : Protection de la messagerie collaborative ======================================= Vous

  21. Anonymous says:

    Suite à ma session avec Christophe Vallée des Microsoft TechDays, voici quelques ressources utiles sur

Comments are closed.

Skip to main content