You may already know that Exchange 2003 SP2 includes a new feature for SenderID support. SenderID (http://www.microsoft.com/senderid) is the e-mail authentication framework that targets one of the most common security issues in the world of SMTP message transfer, which is spoofing. In short Sender ID allows administrators of an e-mail domain to protect the identity of this e-mail domain by registering the special DNS record, also called SPF record, that lists the hosts (IP addresses, names, etc) that are authorized to send e-mail from that domain. For example the SPF record for @microsoft.com e-mail domain lists about 20 authorized hosts. You can pre-view the record by doing “nslookup –q=TXT Microsoft.com” and then “nslookup –q=TXT _spf.microsoft.com”.
So Exchange 2003 SP2 allows to query Internet DNS for SenderID/SPF records for the given domain mentioned as the sender domain in an e-mail message and then, depending on the result of that check, take appropriate actions on that message,. The action could range from blocking the message at the protocol level (for example when SenderID check returns the “Failed” status) or passing the message to the next layer of filtering such as Intelligent Message Filter which takes the SenderID check result into account when making its anti-spam analysis decisions.
To give you the taste what SenderID check can accomplish let’s take a look at the following table of possible SenderID results that can be returned for a given message.
- Stamp and Continue - means acknowledge message acceptance and use SenderID check result in further filtering (such as IMF anti-spam)
- Reject – means respond with the 550 SMTP error code. In this case the generation of the Non-Delivery Report (NDR) becomes the responsibility of the sending server.
- Delete – means acknowledge message acceptance and then turf the message.
Sender ID check result |
Description |
Sender ID Actions in E2K3 SP2 |
Neutral (?) |
Domain makes no assertion about the IP address |
Stamp and Continue |
Pass (+) |
Client is authorized to send mail on behalf of the domain from a matching IP address |
Stamp and Continue |
Fail (-) - Sender Domain Does not Exist - Sender is not permitted - Malformed domain - No PRA found in the header |
Client is explicitly NOT authorized to send mail on behalf of the domain from a matching IP address |
Stamp and Continue -or- Reject -or- Delete |
Soft Fail (~) |
Client might not be authorized to send mail on behalf of the domain from a matching IP address |
Stamp and Continue |
None |
No Sender ID records are published for this domain |
Stamp and Continue |
TempError |
Receiving server encountered a transient error when performing the check |
Stamp and Continue |
PermError |
The domain’s published records couldn’t be correctly interpreted |
Stamp and Continue |
Probably the most interesting is the “Fail” SenderID check result as it has the capability to prevent spoofed messages from ever entering your environment. Note that “Fail” SenderID result is also generated for messages that have non existent domain as the sender!
Other SenderID check results are also helpful because they can show varying degree of trust that you have for messages entering your environment, depending if they come from an “authorized” or “prohibited” IP’s.
While all the above is interesting, some people (such as e-mail administrators) may want to see the SenderID result for messages sitting in their mailbox. This can be used for troubleshooting or testing purposes or perhaps for building client side rules that take SenderID check into account. It turns out with a few simple steps this becomes possible. When the Exchange 2003 SP2 evaluates the SenderID status of the message, the result is added to the message as a mailmsg property and persists from Exchange Server to Exchange Server inside the X-EXCH50 blob. When the message arrives to the mailbox server, Sender ID status is converted to a server side MAPI property.
In the next steps we’ll try to visualize this MAPI property (0x40790003) in our Outlook 2003 client. While there are multiple ways of doing it, let’s follow the approach that some of you may have used for visualizing the SCL value in Outlook. (http://blogs.technet.com/exchange/archive/2004/05/26/142607.aspx)
Copy the below text into a new text file as SenderID.CFG (in the same location as the .ICO files, usually Program Files\Microsoft Office\Office11\forms\language ID).
;**********The CFG file**********
[Description]
MessageClass=IPM.Note.SenderID
CLSID={00020D0C-0000-0000-C000-000000000046}
DisplayName=SenderID Extension Form
Category=Standard
Subcategory=Form
Comment=This forms allows the SenderID to be viewed in a column in Outlook
LargeIcon=IPML.ico
SmallIcon=IPMS.ico
Version=1.0
Locale=enu
Hidden=1
Owner=Microsoft Corporation
[Platforms]
Platform1=Win16
Platform2=NTx86
Platform9=Win95
[Platform.Win16]
CPU=ix86
OSVersion=Win3.1
[Platform.NTx86]
CPU=ix86
OSVersion=WinNT3.5
[Platform.Win95]
CPU=ix86
OSVersion=Win95
[Properties]
Property01=SenderID
[Property.SenderID]
Type=3
;NmidString=PR_SENDER_ID_STATUS
NmidInteger=0x4079
DisplayName=SenderID
[Verbs]
Verb1=1
[Verb.1]
DisplayName=&Open
Code=0
Flags=0
Attribs=2
[Extensions]
Extensions1=1
[Extension.1]
Type=30
NmidPropset={00020D0C-0000-0000-C000-000000000046}
NmidInteger=1
Value=1000000000000000
;**********END CFG
- Go into Tools | Options | Other | Advanced Options | Custom Forms | Manage Forms. Hit the Install button, and choose SenderID.CFG …install into your Personal Forms Library
- Hit OK several times to return to the main Outlook screen
- Right-click on the Column headings in your Inbox (other any other folder) and choose "Field Chooser"
- Pull-down the scroll-bar and choose "Forms…"
- Set focus to your Personal Forms, choose the SenderID Extension Form, then click Add
- Drag and drop the SenderID property into your column headings …and voila, you now should see the SenderID status for messages that come from the Internet through your Exchange 2003 SP2 gateway.
Now you are able to correlate the numeric status code to the SenderID result using the following table:
Sender_ID Result |
Numeric Code |
NEUTRAL |
0x1 |
PASS |
0x2 |
FAIL |
0x3 |
SOFT_FAIL |
0x4 |
NONE |
0x5 |
TEMP_ERROR |
0x80000006 |
PERM_ERROR |
0x80000007 |
As the last step, for those of us who prefer labels instead of numbers, Outlook allows you to create custom fields based on the formula. To do that, follow the following steps.
- Right-click on the Column headings in your folder where you enabled SenderID field and choose "Field Chooser"
- In the Field Chooser, click New. Type SID as the field name, use Formula as the Type. In the Formula field copy&paste the following (without the quotation marks)
-
“IIf([SenderID]=1,"NEUTRAL",IIf([SenderID]=2,"PASS",IIf([SenderID]=3,"FAIL",IIf([SenderID]=4,"SFAIL",IIf([SenderID]=5,"NONE",IIf([SenderID]=-2147483641,"PERM_ERR",IIf([SenderID]=-2147483642,"TEMP_ERR",[SenderID])))))))”
-
-
Click OK and Drag&Drop the newly created SID field into your column headings. You can hide the original SenderID field now by dragging it out of the column headings.
Obviously the form makes sense to install if you have Exchange 2003 SP2 in your environment and have SenderID checks configured on your gateway.