http://www.msexchange.org/tutorials/Configuring-enabling-Sender-ID-filtering-Exchange-2003-SP2.html
Introduction
As many of you already know Sender ID is an e-mail industry
initiative invented by Microsoft and a few other industry leaders. The
purpose of Sender ID is to help counter spoofing, which is the number
one deceptive practice used by spammers. Sender ID works by verifying
every e-mail message indeed originates from the Internet domain from
which it was sent. This is accomplished by checking the address of the
server sending the mail against a registered list of servers that the
domain owner has authorized to send e-mail.
In Figure 1 below I’ve tried to illustrate a very basic SPF scenario.
Figure 1: How SPF works
Sender ID can be implemented on an Internet facing Exchange server
located directly in the perimeter network (aka DMZ, demilitarized zone
or screened subnet), or behind another type of SMTP server such as
Sendmail.
Configuring the Sender ID Filter
When Exchange 2003 SP2 has been applied, the Sender ID options can be found by taking Properties of the Message Delivery object under Global Settings in the Exchange System Manager console.
Figure 2: Properties of the Message Delivery object in ESM
Figure 3: IP addresses of the servers handling incoming SMTP mail in your organization
As you can see the content of the General tab has been
changed a bit, we now have the option of specifying the IP addresses of
any server in our perimeter network (aka DMZ, demilitarized zone or
screened subnet), as well as the range of IP addresses within our
organization. We’ll get back to the option under this tab later.
Let’s click the Sender ID Filtering tab (see Figure 4). This is where you specify how the server should handle messages that fail Sender ID validation.
Note
Before you enable Sender ID you should make sure that you have applied the hotfix mentioned in MS KB article: 905214
- Windows Server 2003 may stop responding when you enable Sender ID
filtering on an SMTP virtual server in Exchange Server 2003 SP2. If
you’re running Exchange Server 2003 with SP2 on a Windows 2000 based
server it’s only possible to get the required hotfix if you have an
extended support contract. If this is the case you should contact your
Microsoft account representative for information about obtaining the
hotfix for Windows 2000 Server.
Figure 4: Sender ID modes
As you can see in Figure 4 above Sender ID can work in 3 different modes, I have listed each of them with a short description in Table 1 below.
|
Sender ID modes |
Description |
|
Accept (default) |
This option should be used if you want the Sender ID filter to stamp
the validation results to the message and be processed by further
anti-spam processing, such as intelligent message filtering. Note that
this is the default option. |
|
Delete |
This option should be used if you want the Sender ID filter to
accept the mail and then delete it without sending the non-delivery
report (NDR) to the user. |
|
Reject |
This option should be used if you want the Sender ID filter to
reject the mail on the SMTP protocol level and issue an NDR message to
the user. Specifically, the sending server is responsible for
generating an NDR. |
Table 1: Sender ID modes
Bear in mind that even though you choose the Accept mode, the
messages will be stamped with the Sender ID status (a message property)
which will be passed to the next filter, typically the Intelligent
Message Filter, which then will take the Sender ID result (contained in
the message property) into account when triggering the appropriate Spam
Confidence Level (SCL) score.
Note
Some of you may know the SCL score which the
Intelligent Message Filter stamps on each message can be exposed in
Outlook 2003 (for instructions see this
post on the MS Exchange team blog). The cool thing is you can use a
similar method when dealing with Sender ID results added to the
messages, for instructions see this post, also on the MS Exchange team blog.
Enabling the Sender ID Filter
As is also the case with the other Exchange filtering features, you
need to enable Sender ID filtering under the default SMTP virtual
server, as can be seen in Figure 5 below. You only have to enable
Sender ID filtering on any Exchange server accepting mail from the
Internet, or on the first Exchange server located behind another type
of Internet facing SMTP server such as SendMail or whatever is used in
your particular organization.
Figure 5: Enabling the Sender ID filter
When you enable Apply Sender ID Filter you’ll receive the message shown in Figure 6, so if you haven’t already done so you should go set the appropriate option under the Sender ID filtering tab shown back in Figure 4.
Figure 6: Warning Message when enabling Sender ID Filter
If you enable Sender ID filtering on an Exchange server behind the
perimeter network (aka DMZ, demilitarized zone or screened subnet), you
should also make sure you specify the IP addresses of the servers in
your internal network that you want to be excluded from Sender ID
filtering. This is done by clicking the Add button under the General tab (Figure 3).
Sender ID Results
Sender ID can provide several different results; I’ve listed each of
them as well as a short description and the action taken in Table 2 below.
|
Sender ID Result |
Description |
Action taken |
|
Neutral |
Domain is neutral (makes no decision about IP address) |
Stamp and Accept |
|
Pass (+) |
IP address permitted |
Stamp and Accept |
|
Fail (-)
- Domain doesn’t exist
- Sender isn’t permitted
- Malformed domain
- No PRA (Purported Responsible Address) in header |
IP address not permitted |
Stamp and Accept then either Delete or Reject |
|
Soft Fail (~) |
IP address not permitted |
Stamp and Accept |
|
None |
No SPF record published for the domain |
Stamp and Accept |
|
TempError |
Transient error (could be unreachable DNS server) |
Stamp and Accept |
|
Perm Error |
Possible error in record, so couldn’t be read correctly |
Stamp and Accept |
Table 2: Sender ID Results
Monitoring Sender ID Filtering
Sender ID also adds several performance counters to your Exchange
2003 server, these can be found under a Performance object named MSExchange Sender ID. I’ve listed each Sender ID performance counter in Table 3 below.
|
Performance counter |
Description |
|
DNS Queries per Second |
The number of DNS queries per second performed by Sender ID |
|
Messages Missing Originating IP per Second |
The number of messages per second for which the originating IP could not be determined |
|
Messages Validated by Sender ID per Second |
The number of messages validated by Sender ID per second |
|
Message Validated per Second with a Fail – Malformed Domain Result |
The number of messages validated per second with a result of Fail - Malformed Domain |
|
Message Validated per Second with a Fail – Non-existent Domain Result |
The number of messages validated per second with a result of Fail - Non-existent Domain |
|
Message Validated per Second with a Fail Not – Permitted Result |
The number of messages validated per second with a result of Fail - Not Permitted |
|
Message Validated per Second with a Neutral Result |
The number of messages validated per second with a result of Neutral |
|
Message Validated per Second with a Pass Result |
The number of messages validated per second with a result of None |
|
Message Validated per Second with a PermError Result |
The number of messages validated per second with a result of PermError |
|
Message Validated per Second with a SoftFail Result |
The number of messages validated per second with a result of SoftFail |
|
Message Validated per Second with a TempError Result |
The number of messages validated per second with a result of TempError |
|
Messages with No PRA per Second |
The number of messages per second that do not have a valid Purported Responsible Address |
|
Total DNS Queries |
The total number of DNS queries performed by Sender ID |
Table 3: Sender ID Performance Counters
There’s also a Performance counter for total messages in addition to
messages per second, but as they are identical there’s no reason to
list them as well. To get an understanding of what’s going on
behind the hood it’s a very good idea to take a closer look at each of
these performance counters.
Figure 7: Sender ID performance counter objects
Creating SPF records for you own domain(s)
As more and more organizations, with the release of Exchange 2003
SP2, will enable Sender ID filtering in their messaging environments,
it would be wise to start think about creating SPF records for your own
domain(s). To create your own SPF record(s) you can use this Sender ID Framework SPF Record Wizard which is shown in Figure 8 below.
Figure 8: Sender ID tool to create SPF records for your own domains
When the SPF record(s) have been created you just need to have
it/them published on the DNS server hosting your domain. You can
typically do this yourself by logging into the web-based admin page
from where you administer your domains, or you can let your DNS
provider to do it for you.
In order to check which IP addresses are allowed to send mail for a given domain you can use a wizard such as this one over at DNStuff.com, or open a command prompt and type nslookup –q=TXT domain.com. You
should then be able to see the SPF record including the list of the IP
addresses allowed to send e-mail messages for this domain.
Conclusion
Sender ID filtering in Exchange 2003 SP2 is a welcome addition in
the fight against domain spoofing. Since the introduction of the Sender Policy Framework initiative many 3rd
party antispam solutions have supported this feature, but not as many
as we could have hoped for have created SPF records for their domains.
Now that Sender ID filtering, with Exchange 2003 SP2, is a native
feature in the Exchange product, let’s hope even more Exchange
organizations around the world will take the time to enable Sender ID
filtering in their environment and at least, just as important, create
SPF records for their domains; otherwise the feature is more or less
useless.
Related links
Sender ID Framework Overview: Verification System Aims to Reduce Spam and Increase Safety Online:
http://www.microsoft.com/mscorp/safety/technologies/senderid/overview.mspx
Sender ID Technology: Information for IT Professionals:
http://www.microsoft.com/mscorp/safety/technologies/senderid/technology.mspx
Sender ID Resources: Tools and Information About the Technology:
http://www.microsoft.com/mscorp/safety/technologies/senderid/resources.mspx
Sender ID Tool:
http://www.anti-spamtools.org/SenderIDEmailPolicyTool/Default.aspx
You Had Me At EHLO... : Sender ID:
http://blogs.technet.com/exchange/archive/2005/10/13/412487.aspx
TechNet Webcast: A Comprehensive Look at Anti-Spam Technologies in Exchange 2003 SP2 (Level 300)
http://msevents.microsoft.com/cui/WebCastEventDetails.aspx?EventID=1032282012&EventCategory=5&culture=en-US&CountryCode=US
