Configuring and enabling Sender ID filtering in Exchange 2003 SP2

by [Published on 1 Nov. 2005 / Last Updated on 1 Nov. 2005]

Now that the wait is over and Exchange 2003 SP2 has been released, I think it’s a good time to take a closer look at some of the new features in the service pack. In this article I’ll explain the purpose and benefits of enabling Sender ID filtering in Exchange 2003 SP2, as well as show you how to configure this feature.

Introduction

As many of you already know Sender ID is an e-mail industry initiative invented by Microsoft and a few other industry leaders. The purpose of Sender ID is to help counter spoofing, which is the number one deceptive practice used by spammers. Sender ID works by verifying every e-mail message indeed originates from the Internet domain from which it was sent. This is accomplished by checking the address of the server sending the mail against a registered list of servers that the domain owner has authorized to send e-mail.

In Figure 1 below I’ve tried to illustrate a very basic SPF scenario.


Figure 1: How SPF works

Sender ID can be implemented on an Internet facing Exchange server located directly in the perimeter network (aka DMZ, demilitarized zone or screened subnet), or behind another type of SMTP server such as Sendmail.

Configuring the Sender ID Filter

When Exchange 2003 SP2 has been applied, the Sender ID options can be found by taking Properties of the Message Delivery object under Global Settings in the Exchange System Manager console.


Figure 2: Properties of the Message Delivery object in ESM


Figure 3: IP addresses of the servers handling incoming SMTP mail in your organization

As you can see the content of the General tab has been changed a bit, we now have the option of specifying the IP addresses of any server in our perimeter network (aka DMZ, demilitarized zone or screened subnet), as well as the range of IP addresses within our organization. We’ll get back to the option under this tab later.

Let’s click the Sender ID Filtering tab (see Figure 4). This is where you specify how the server should handle messages that fail Sender ID validation.

Note
Before you enable Sender ID you should make sure that you have applied the hotfix mentioned in MS KB article: 905214 - Windows Server 2003 may stop responding when you enable Sender ID filtering on an SMTP virtual server in Exchange Server 2003 SP2. If you’re running Exchange Server 2003 with SP2 on a Windows 2000 based server it’s only possible to get the required hotfix if you have an extended support contract. If this is the case you should contact your Microsoft account representative for information about obtaining the hotfix for Windows 2000 Server.


Figure 4: Sender ID modes

As you can see in Figure 4 above Sender ID can work in 3 different modes, I have listed each of them with a short description in Table 1 below.

Sender ID modes

Description

Accept (default)

This option should be used if you want the Sender ID filter to stamp the validation results to the message and be processed by further anti-spam processing, such as intelligent message filtering. Note that this is the default option.

Delete

This option should be used if you want the Sender ID filter to accept the mail and then delete it without sending the non-delivery report (NDR) to the user.

Reject

This option should be used if you want the Sender ID filter to reject the mail on the SMTP protocol level and issue an NDR message to the user. Specifically, the sending server is responsible for generating an NDR.

Table 1: Sender ID modes

Bear in mind that even though you choose the Accept mode, the messages will be stamped with the Sender ID status (a message property) which will be passed to the next filter, typically the Intelligent Message Filter, which then will take the Sender ID result (contained in the message property) into account when triggering the appropriate Spam Confidence Level (SCL) score.

Note
Some of you may know the SCL score which the Intelligent Message Filter stamps on each message can be exposed in Outlook 2003 (for instructions see this post on the MS Exchange team blog). The cool thing is you can use a similar method when dealing with Sender ID results added to the messages, for instructions see this post, also on the MS Exchange team blog.

Enabling the Sender ID Filter

As is also the case with the other Exchange filtering features, you need to enable Sender ID filtering under the default SMTP virtual server, as can be seen in Figure 5 below. You only have to enable Sender ID filtering on any Exchange server accepting mail from the Internet, or on the first Exchange server located behind another type of Internet facing SMTP server such as SendMail or whatever is used in your particular organization.


Figure 5: Enabling the Sender ID filter

When you enable Apply Sender ID Filter you’ll receive the message shown in Figure 6, so if you haven’t already done so you should go set the appropriate option under the Sender ID filtering tab shown back in Figure 4.


Figure 6: Warning Message when enabling Sender ID Filter

If you enable Sender ID filtering on an Exchange server behind the perimeter network (aka DMZ, demilitarized zone or screened subnet), you should also make sure you specify the IP addresses of the servers in your internal network that you want to be excluded from Sender ID filtering. This is done by clicking the Add button under the General tab (Figure 3).

Sender ID Results

Sender ID can provide several different results; I’ve listed each of them as well as a short description and the action taken in Table 2 below.

Sender ID Result

Description

Action taken

Neutral

Domain is neutral (makes no decision about IP address)

Stamp and Accept

Pass (+)

IP address permitted

Stamp and Accept

Fail (-)

 - Domain doesn’t exist
 - Sender isn’t permitted
 - Malformed domain
 - No PRA (Purported Responsible    Address) in header

IP address not permitted

Stamp and Accept then either Delete or Reject

Soft Fail (~)

IP address not permitted

Stamp and Accept

None

No SPF record published for the domain

Stamp and Accept

TempError

Transient error (could be unreachable DNS server)

Stamp and Accept

Perm Error

Possible error in record, so couldn’t be read correctly

Stamp and Accept

Table 2: Sender ID Results


Monitoring Sender ID Filtering

Sender ID also adds several performance counters to your Exchange 2003 server, these can be found under a Performance object named MSExchange Sender ID. I’ve listed each Sender ID performance counter in Table 3 below.

Performance counter

Description

DNS Queries per Second

The number of DNS queries per second performed by Sender ID

Messages Missing Originating IP per Second

The number of messages per second for which the originating IP could not be determined

Messages Validated by Sender ID per Second

The number of messages validated by Sender ID per second

Message Validated per Second with a Fail – Malformed Domain Result

The number of messages validated per second with a result of Fail - Malformed Domain

Message Validated per Second with a Fail – Non-existent Domain Result

The number of messages validated per second with a result of Fail - Non-existent Domain

Message Validated per Second with a Fail Not – Permitted Result

The number of messages validated per second with a result of Fail - Not Permitted

Message Validated per Second with a Neutral Result

The number of messages validated per second with a result of Neutral

Message Validated per Second with a Pass Result

The number of messages validated per second with a result of None

Message Validated per Second with a PermError Result

The number of messages validated per second with a result of PermError

Message Validated per Second with a SoftFail Result

The number of messages validated per second with a result of SoftFail

Message Validated per Second with a TempError Result

The number of messages validated per second with a result of TempError

Messages with No PRA per Second

The number of messages per second that do not have a valid Purported Responsible Address

Total DNS Queries

The total number of DNS queries performed by Sender ID

Table 3: Sender ID Performance Counters

There’s also a Performance counter for total messages in addition to messages per second, but as they are identical there’s no reason to list them as well. To get an understanding of what’s going on behind the hood it’s a very good idea to take a closer look at each of these performance counters.


Figure 7:  Sender ID performance counter objects

Creating SPF records for you own domain(s)

As more and more organizations, with the release of Exchange 2003 SP2, will enable Sender ID filtering in their messaging environments, it would be wise to start think about creating SPF records for your own domain(s). To create your own SPF record(s) you can use this Sender ID Framework SPF Record Wizard which is shown in Figure 8 below.


Figure 8: Sender ID tool to create SPF records for your own domains

When the SPF record(s) have been created you just need to have it/them published on the DNS server hosting your domain. You can typically do this yourself by logging into the web-based admin page from where you administer your domains, or you can let your DNS provider to do it for you.

In order to check which IP addresses are allowed to send mail for a given domain you can use a wizard such as this one over at DNStuff.com, or open a command prompt and type nslookup –q=TXT domain.com. You should then be able to see the SPF record including the list of the IP addresses allowed to send e-mail messages for this domain.

Conclusion

Sender ID filtering in Exchange 2003 SP2 is a welcome addition in the fight against domain spoofing. Since the introduction of the Sender Policy Framework initiative many 3rd party antispam solutions have supported this feature, but not as many as we could have hoped for have created SPF records for their domains. Now that Sender ID filtering, with Exchange 2003 SP2, is a native feature in the Exchange product, let’s hope even more Exchange organizations around the world will take the time to enable Sender ID filtering in their environment and at least, just as important, create SPF records for their domains; otherwise the feature is more or less useless.

Related links

Sender ID Framework Overview: Verification System Aims to Reduce Spam and Increase Safety Online:
http://www.microsoft.com/mscorp/safety/technologies/senderid/overview.mspx

Sender ID Technology: Information for IT Professionals:
http://www.microsoft.com/mscorp/safety/technologies/senderid/technology.mspx

Sender ID Resources: Tools and Information About the Technology:
http://www.microsoft.com/mscorp/safety/technologies/senderid/resources.mspx

Sender ID Tool:
http://www.anti-spamtools.org/SenderIDEmailPolicyTool/Default.aspx

You Had Me At EHLO... : Sender ID:
http://blogs.technet.com/exchange/archive/2005/10/13/412487.aspx

TechNet Webcast: A Comprehensive Look at Anti-Spam Technologies in Exchange 2003 SP2 (Level 300)
http://msevents.microsoft.com/cui/WebCastEventDetails.aspx?EventID=1032282012&EventCategory=5&culture=en-US&CountryCode=US

Advertisement

Featured Links