Thursday, October 13, 2005

Sender ID

This is a really cool extension for Outlook if you are working with SenderID

You may already know that Exchange 2003 SP2 includes a new feature for SenderID support.  SenderID (http://www.microsoft.com/senderid) is the e-mail authentication framework that targets one of the most common security issues in the world of SMTP message transfer, which is spoofing.   In short Sender ID allows administrators of an e-mail domain to protect the identity of this e-mail domain by registering the special DNS record, also called SPF record, that lists the hosts (IP addresses, names, etc) that are authorized to send e-mail from that domain.  For example the SPF record for @microsoft.com e-mail domain lists about 20 authorized hosts. You can pre-view the record by doing nslookup –q=TXT Microsoft.com” and then “nslookup –q=TXT _spf.microsoft.com”.

 

So Exchange 2003 SP2 allows to query Internet DNS for SenderID/SPF records for the given domain mentioned as the sender domain in an e-mail message and then, depending on the result of that check, take appropriate actions on that message,.  The action could range from blocking the message at the protocol level (for example when SenderID check returns the “Failed” status) or passing the message to the next layer of filtering such as Intelligent Message Filter which takes the SenderID check result into account when making its anti-spam analysis decisions.

 

To give you the taste what SenderID check can accomplish let’s take a look at the following table of possible SenderID results that can be returned for a given message.

 

  • Stamp and Continue - means acknowledge message acceptance and use SenderID check result in further filtering (such as IMF anti-spam)
  • Reject – means respond with the 550 SMTP error code.   In this case the generation of the Non-Delivery Report (NDR) becomes the responsibility of the sending server.
  • Delete – means acknowledge message acceptance and then turf the message.

 

Sender ID check result

Description

Sender ID Actions in E2K3 SP2

Neutral (?)

Domain makes no assertion about the IP address

Stamp and Continue

 

Pass (+)

Client is authorized to send mail on behalf of the domain from a matching IP address

Stamp and Continue

 

Fail (-)

- Sender Domain Does not Exist

- Sender is not permitted

- Malformed domain

- No PRA found in the header

Client is explicitly NOT authorized to send mail on behalf of the domain from a matching IP address

Stamp and Continue

-or-

Reject

-or-

Delete

Soft Fail (~)

Client might not be authorized to send mail on behalf of the domain from a matching IP address

Stamp and Continue

 

None

No Sender ID records are published for this domain

Stamp and Continue

 

TempError

Receiving server encountered a transient error when performing the check

Stamp and Continue

 

PermError

The domain’s published records couldn’t be correctly interpreted

Stamp and Continue

 



 

Probably the most interesting is the “Fail” SenderID check result as it has the capability to prevent spoofed messages from ever entering your environment.  Note that “Fail” SenderID result is also generated for messages that have non existent domain as the sender!

 

Other SenderID check results are also helpful because they can show varying degree of trust that you have for messages entering your environment, depending if they come from an “authorized” or “prohibited” IP’s.

 

While all the above is interesting, some people (such as e-mail administrators) may want to see the SenderID result for messages sitting in their mailbox.  This can be used for troubleshooting or testing purposes or perhaps for building client side rules that take SenderID check into account.  It turns out with a few simple steps this becomes possible.  When the Exchange 2003 SP2 evaluates the SenderID status of the message, the result is added to the message as a mailmsg property and persists from Exchange Server to Exchange Server inside the X-EXCH50 blob.  When the message arrives to the mailbox server, Sender ID status is converted to a server side MAPI property. 

 

In the next steps we’ll try to visualize this MAPI property (0x40790003) in our Outlook 2003 client.  While there are multiple ways of doing it, let’s follow the approach that some of you may have used for visualizing the SCL value in Outlook. (http://blogs.technet.com/exchange/archive/2004/05/26/142607.aspx)

Copy the below text into a new text file as SenderID.CFG (in the same location as the .ICO files, usually Program Files\Microsoft Office\Office11\forms\language ID).

;**********The CFG file**********

[Description]

MessageClass=IPM.Note.SenderID

CLSID={00020D0C-0000-0000-C000-000000000046}

DisplayName=SenderID Extension Form

Category=Standard

Subcategory=Form

Comment=This forms allows the SenderID to be viewed in a column in Outlook

LargeIcon=IPML.ico

SmallIcon=IPMS.ico

Version=1.0

Locale=enu

Hidden=1

Owner=Microsoft Corporation

  

[Platforms]

Platform1=Win16

Platform2=NTx86

Platform9=Win95

 

[Platform.Win16]

CPU=ix86

OSVersion=Win3.1

  

[Platform.NTx86]

CPU=ix86

OSVersion=WinNT3.5

  

[Platform.Win95]

CPU=ix86

OSVersion=Win95

  

[Properties]

Property01=SenderID

  

[Property.SenderID]

Type=3

;NmidString=PR_SENDER_ID_STATUS

NmidInteger=0x4079

DisplayName=SenderID

  

[Verbs]

Verb1=1

  

[Verb.1]

DisplayName=&Open

Code=0

Flags=0

Attribs=2

  

[Extensions]

Extensions1=1

  

[Extension.1]

Type=30

NmidPropset={00020D0C-0000-0000-C000-000000000046}

NmidInteger=1

Value=1000000000000000

;**********END CFG

  1. Go into Tools | Options | Other | Advanced Options | Custom Forms | Manage Forms. Hit the Install button, and choose SenderID.CFG …install into your Personal Forms Library
  2. Hit OK several times to return to the main Outlook screen
  3. Right-click on the Column headings in your Inbox (other any other folder) and choose "Field Chooser"
  4. Pull-down the scroll-bar and choose "Forms…"
  5. Set focus to your Personal Forms, choose the SenderID Extension Form, then click Add
  6. Drag and drop the SenderID property into your column headings …and voila, you now should see the SenderID status for messages that come from the Internet through your Exchange 2003 SP2 gateway.

 

Now you are able to correlate the numeric status code to the SenderID result using the following table:

Sender_ID Result

Numeric Code

NEUTRAL

0x1

PASS

0x2

FAIL

0x3

SOFT_FAIL

0x4

NONE

0x5

TEMP_ERROR

0x80000006

PERM_ERROR

0x80000007



As the last step, for those of us who prefer labels instead of numbers, Outlook allows you to create custom fields based on the formula.  To do that, follow the following steps.

  1. Right-click on the Column headings in your folder where you enabled SenderID field and choose "Field Chooser"
  2. In the Field Chooser, click New.  Type SID as the field name, use Formula as the Type.  In the Formula field copy&paste the following (without the quotation marks)
    1. “IIf([SenderID]=1,"NEUTRAL",IIf([SenderID]=2,"PASS",IIf([SenderID]=3,"FAIL",IIf([SenderID]=4,"SFAIL",IIf([SenderID]=5,"NONE",IIf([SenderID]=-2147483641,"PERM_ERR",IIf([SenderID]=-2147483642,"TEMP_ERR",[SenderID])))))))”
  3. Click OK and Drag&Drop the newly created SID field into your column headings.  You can hide the original SenderID field now by dragging it out of the column headings.

 

Obviously the form makes sense to install if you have Exchange 2003 SP2 in your environment and have SenderID checks configured on your gateway.

 

- Konstantin Ryvkin

No comments: