Determining Inbound and Outbound Mail Flow

  • Article

Hello. My name is Anthony and I am a tester working on Forefront at the Long Island facility. I was asked to write a little bit about mail direction. Before I started working on this product I guess I didn’t think very much about what direction an email was flowing. As it turns out, the security of your company could depend on it.

Why is the direction an email is traveling important? People are concerned with email direction for two reasons:

1. Filters can be set based on the direction of an email. For example, you may want to filter all inbound emails with a .zip file attachment.

2. Notifications can be sent based on the direction of an email. Suppose an infected email is inbound. Forefront can automatically send a reply back to the sender stating that a virus was received from them. Please cut it out.

How is direction determined? Forefront uses a complex set of rules to determine the direction of an email. For all you hackers thinking that I am going to explain all the rules, forget it. I’m not going to give away that much. I will say this, determining direction is a two phase process. First, Forefront tries to determine if the email is “Inbound” or “Not Inbound”. Basically, it does this by traversing through the received header chain of the MIME message. Directionality is determined by comparing the entries in the received header chain with what is in both the SMTP External Hosts list and the Internal Address list. Forefront can also perform what is called a Reverse DNS Lookup on the entries in the received header chain to verify their authenticity. Being that a MIME header can easily be spoofed, Forefront will attempt to verify that an IP address in the header matches the address it claims to come from. This process is a fairly large performance hit, so many users choose to turn it off.

Let’s look at an example:

An email comes in and the first thing we do is look at the received header chain. Forefront asks itself a question. Is any IP in the Received Header Chain also in the SMTP External Hosts list? If the answer is yes, then the email is considered Inbound.

Let’s go a step further:

 Let’s say the answer to the above question was no. We would then do some comparisons to what is in the Internal Address List. Forefront asks itself the following question. Does any entry in the Received Header Chain contain a domain that is not in the Internal Address list? If the answer is no, then the email is considered Not Inbound.

After Forefront has determined whether an email is Inbound or Not Inbound, it will try to determine if it is outbound or not. Outbound determination is based on one question. Is the recipient of the email on the Internal Address list? If it is, then the email is Not Outbound, otherwise it is Outbound.

If an email is not inbound and not outbound, then it is considered Internal.

There are many more rules to follow when determining email direction, but I hope that this has given you a little insight into the process. I am sure that you will have some questions (I still do). So don’t be shy. Please post any questions you may have concerning In/Out Determination or any other Forefront topic either here on the TechNet forums.

Anthony Sena

Test Engineer

Forefront Server Security