EXC02 All About Sender ID

1
EXC02All About Sender ID

• Devin L. Ganger (3Sharp LLC) deving_at_3sharp.com
• (e)Mail Insecurity http//blogs.3sharp.com/blog/d
  eving/

2
Download the most up-to-date version of these
slides athttp//www.3sharp.com/files/deving/exc0
2.ppt
3
The Problem

4
The Problem

• Microsoft Mail Internet Headers Version 2.0
• Received from mordor.thecabal.org
  (207.202.179.57) by RED-EXCH01.redmond.3sharp.co
  m with Microsoft SMTPSVC(6.0.3790.2499)
• Thu, 9 Feb 2006 031154 -0800
• From Paul Robichaux
• To Devin L. Ganger
• Subject Make money fast by speaking at Exchange
  Connections!
• Return-Path paulr_at_3sharp.com
• Message-ID 1.redmond.3sharp.com
• X-OriginalArrivalTime 09 Feb 2006 111302.0269
  (UTC) FILETIMECABABED001C62D69
• Date 9 Feb 2006 031302 -0800

Hey, this doesnt look right!
5
Sender ID/SPF One Possible Solution?

• Originally developed by Meng Wong as Sender
  Permitted From
• Microsoft developed incompatible Caller ID scheme
  along same ideas.
• Microsoft, Meng Wong merged proposals for Sender
  Policy Framework
• Now exists in two versions SPFv1 and SPFv2
  (Sender ID)

6
An SPF Record

• microsoft.com. 3600 IN TXT "vspf1 mx
  redirect_spf.microsoft.com
• _spf.microsoft.com. 3600 IN TXT "vspf1
  ip4213.199.128.139 ip4213.199.128.145
  ip4207.46.50.72 ip4207.46.50.82
  ip4131.107.3.116 ip4131.107.3.117
  ip4131.107.3.100 ip4131.107.3.108
  adelivery.pens.microsoft.com amh.microsoft.m0.ne
  t mxmicrosoft.com ?all
• Web-based wizards are available to help you
  create your own SPF records
• http//www.microsoft.com/mscorp/safety/content/tec
  hnologies/senderid/wizard/

7
Decoding the SPF Record

• vspf1 SPFv1 declaration (MAIL FROM)
• vspf2/pra SPFv2 declaration (PRA)
• Mechanisms
• a Host lookup for target name
• all Always matches provides default
• exists Arbitrary complex host lookups (pattern
  matching)
• include Check this domain and include in check
  results
• ip4 Host is in given IPv4 network range
• ip6 Host is in given IPv6 network range
• mx MX lookup for target name
• ptr Reverse lookup for target name
• The include mechanism crosses administrative
  boundaries you are encouraged to use redirects
  (next slide) when possible

8
Decoding the SPF Record (continued)

• Mechanism prefixes
• Pass (default if no prefix)
• - Fail
• Softfail
• ? Neutral
• Modifiers
• redirect If mechanisms fail, look up in named
  domain
• exp Explanation string to return
• Useful to apply the same record to multiple
  domains.

9
Benefits of SPF

• DNS-based approach to mitigating forged email
  envelopes
• Uses TXT records for easy deployment
• Lookups are cacheable
• Computationally inexpensive to implement in
  filtering
• Natively supported in Exchange 2003 SP2
• Well-supported by many vendors and ISPs

10
Benefits of Sender ID

• Adds support for multiple scopes
• SPFv1 MAIL FROM checks
• SPFv2 MAIL FROM and Purported Responsible
  Address (PRA) checks
• Backward compatible with SPFv1
• PRA checks make it easier for mailing lists and
  SPF to coexist

11
Who supports it?
Some names you might recognize

• AOL
• Amazon.com Inc.
• Anti-Phishing Working Group (APWG)
• Association for Competitive Technology (ACT)
• Bank of America
• Barracuda Networks
• CipherTrust, Inc.
• Cisco Systems, Inc.
• Cloudmark, Inc.
• Constant Contact
• Digital Impact Inc.
• DoubleClick Inc.
• EarthLink, Inc.
• eBay Inc.
• Email Service Provider Coalition (ESPC)
• Equifax Inc.
• Goodmail Systems, Inc.
• Habeas Inc.
• IronPort Systems Inc.

• MailFrontier, Inc.
• Microsoft Corporation
• Meng Wong
• Port25 Solutions, Inc.
• Postini, Inc.
• Return Path, Inc. / Netcreations
• Scalix Corporation
• Sendmail Inc.
• SKYLIST, Inc.
• StrongMail Systems
• Symantec Corporation
• Teros Inc.
• The Global Council of CSOs
• The Go Daddy Group
• The Open Group
• TRUSTe
• Tumbleweed Communications Corp
• VeriSign Inc.

12
Drawbacks of SPF

• Not a solid defense
• Does not stop spam
• Does not prevent forgeries
• Causes complications when forwarding email
• Can contribute to load on DNS clients and servers
• DDoS spam networks
• Multiple lookups for each incoming message where
  SPF record is large
• Will SPF records fit into UDP packet or cause TCP
  DNS lookup?
• Breaks forwarding
• If you forward messages, requires header rewrite
• If your users must connect from outside, offer
  SMTP AUTH on TCP 25 and 587
• Does not protect message headers
• Does not validate users, only domains
• Validates last-hop, not end-to-end

13
Reasons to use SPF

• Realistic you want users at Hotmail, AOL,
  Earthlink, other large ISPs to continue receiving
  your email.
• Idealistic if we get enough people using SPF,
  there will be a critical mass and it will become
  useful.
• Pragmatic Every little bit helps.
• Silly over 80 of SPF-publishing domains belong
  to spammers and we want to drive that number
  down!
• Futuristic its a starting point for now
  various extensions such as SRS are addressing
  weaknesses and making it even more useful.

14
DemoCreating SPFv1 records
15
(No Transcript)
16
(No Transcript)
17
(No Transcript)
18
(No Transcript)
19
(No Transcript)
20
(No Transcript)
21
Determining the PRA

• Which user/process most recently put the message
  into the system?
• Often the same as the initial sender
• Mailing lists, forwarders change this
• Uses message headers to determine address to
  check
• From
• Sender
• Resent-From
• Resent-Sender
• Perform the check on the PRAs domain

22
MAIL FROM vs. PRA
SUBMITTER extension to SMTP MAIL command allows
the sender to declare the PRA during MAIL FROM,
allowing the receiver to perform checks before
the DATA phase.
23
DemoCreating SenderID/SPFv2 PRA records
24
(No Transcript)
25
(No Transcript)
26
(No Transcript)
27
(No Transcript)
28
Exchange and Sender ID

• Included in Exchange 2003 SP2
• Two modes of operation
• As stand-alone to accept/reject messages
• Markup to pass to IMF for scoring
• Unlike many connection filtering techniques, this
  works even if your Exchange server is not the
  edge mail server in your organization!

29
Exchange and Sender ID (continued)
30
DemoEnabling Sender ID in Exchange
31
(No Transcript)
32
(No Transcript)
33
(No Transcript)
34
(No Transcript)
35
Exchange Sender ID gotchas

• SUBMITTER is cool, right? Too bad its not
  supported yet.
• KB 910272 The Sender ID Filtering feature does
  not work correctly in an Exchange Server 2003 SP2
  server should be considered required
• Combination of prefix and another domain listed
  in record triggers bug
• Server without hotfix can reject mail with proper
  SPF record
• Server without hotfix can accept mail without
  proper SPF record

36
Questions?
37
Resources

• Want to Tick Off Spammers? Try Sender ID
• Kevin Laahs, April 2006 Exchange and Outlook
  Administrator
• Sender Policy Framework
• http//www.openspf.org/index.html
• Sender ID Resources
• http//www.microsoft.com/mscorp/safety/technologi
  es/senderid/resources.mspx
• Sender ID Framework SPF Record Wizard
• http//www.microsoft.com/mscorp/safety/content/te
  chnologies/senderid/wizard/
• Sender Rewriting Scheme (SRS)
• http//www.openspf.org/srs.html
• Sender Rewriting Scheme diagram
• http//www.openspf.org/srspng.html