EXC04 All About Sender ID - PowerPoint PPT Presentation

1 / 25

About This Presentation

Title:

EXC04 All About Sender ID

Description:

mx MX lookup for target name. ptr Reverse lookup for target name ... Probably not for 80-90% of email. Fixed with addition of a null spf2.0/pra record ... – PowerPoint PPT presentation

Number of Views:71

Avg rating:3.0/5.0

Slides: 26

Provided by: erikr151

Category:

more less

Transcript and Presenter's Notes

Title: EXC04 All About Sender ID

1
EXC04All About Sender ID

Devin L. Ganger (3Sharp LLC) deving_at_3sharp.com
(e)Mail Insecurity http//blogs.3sharp.com/blog/d
eving/

2
Download the most up-to-date version of these
slides athttp//www.3sharp.com/files/deving/exc0
4-ganger-f06.ppt
3
The Problem

Microsoft Mail Internet Headers Version 2.0
Received from mordor.thecabal.org
(207.202.179.57) by RED-EXCH01.redmond.3sharp.co
m with Microsoft SMTPSVC(6.0.3790.2499)
Thu, 9 Feb 2006 031154 -0800
From Paul Robichaux ltpaulr_at_3sharp.comgt
To Devin L. Ganger ltdeving_at_3sharp.comgt
Subject Make money fast by speaking at Exchange
Connections!
Message-ID ltRED-EXCH01cLtOqvXKC000018ef_at_RED-EXCH0
1.redmond.3sharp.comgt
X-OriginalArrivalTime 09 Feb 2006 111302.0269
(UTC) FILETIMECABABED001C62D69
Date 9 Feb 2006 031302 -0800

This is probably a forgery!
4
Sender ID/SPF One Possible Solution?

Originally developed by Meng Wong as Sender
Permitted From
Microsoft developed incompatible Caller ID scheme
along same ideas.
Microsoft, Meng Wong merged proposals for Sender
Policy Framework
Now exists in two versions SPFv1 (Classic SPF)
and SPFv2 (Sender ID)
Despite some claims, Sender ID is not 100
backwards-compatible with SPF

5
Who uses Sender ID?

According to recent Microsoft estimates
There are 5.5 million domains worldwide protected
by Sender ID.
Approximately 36 of all legitimate email is
Sender ID compliant.

6
An SPF Record

microsoft.com. 3600 IN TXT "vspf1 mx
redirect_spf.microsoft.com
_spf.microsoft.com. 3600 IN TXT "vspf1
ip4213.199.128.139 ip4213.199.128.145
ip4207.46.50.72 ip4207.46.50.82
ip4131.107.3.116 ip4131.107.3.117
ip4131.107.3.100 ip4131.107.3.108
adelivery.pens.microsoft.com amh.microsoft.m0.ne
t mxmicrosoft.com ?all
Web-based wizards are available to help you
create your own SPF records
http//www.microsoft.com/mscorp/safety/content/tec
hnologies/senderid/wizard/

7
Decoding the SPF Record

vspf1 SPFv1 declaration (MAIL FROM)
spf2.0/mfrom,pra
SPFv2 declaration (MAIL FROM and PRA)
Mechanisms
a Host lookup for target domain
all Always matches provides default
exists Arbitrary complex host lookups (pattern
matching)
include Check this domain and include in check
results
ip4 Host is in given IPv4 network range
ip6 Host is in given IPv6 network range
mx MX lookup for target name
ptr Reverse lookup for target name
The include mechanism crosses administrative
boundaries you are encouraged to use redirects
(next slide) when possible

8
Decoding the SPF Record (continued)

Mechanism prefixes
Pass (default if no prefix)
- Fail
Softfail
? Neutral
Modifiers
redirect If mechanisms fail, look up in named
domain
exp Explanation string to return
Useful to apply the same record to multiple
domains.

9
Benefits of SPF

DNS-based approach to mitigating forged email
envelopes
Uses TXT records for easy deployment
Lookups are cacheable
Computationally inexpensive to implement in
filtering
Well-supported by many vendors and ISPs

10
Reasons to use SPF

Realistic you want users at Hotmail, AOL,
Earthlink, other large ISPs to continue receiving
your email.
Idealistic if we get enough people using SPF,
there will be a critical mass and it will become
useful.
Pragmatic Every little bit helps.
Silly over 80 of SPF-publishing domains belong
to spammers and we want to drive that number
down!
Futuristic its a starting point for now
various extensions such as SRS are addressing
weaknesses and making it even more useful.

11
Drawbacks of SPF

Not a solid defense
Does not stop spam
Does not prevent forgeries
Causes complications when forwarding email
Can contribute to load on DNS clients and servers
DDoS spam networks
Multiple lookups for each incoming message where
SPF record is large
Lack of consensus about best practices to limit
the impact of lookups
Will SPF records fit into UDP packet or cause TCP
DNS lookup?
Breaks forwarding
If you forward messages, requires header rewrite
If your users must connect from outside, offer
SMTP AUTH on TCP 25 and 587
Does not protect message headers
Does not validate users, only domains
Validates last-hop, not end-to-end

12
Benefits of Sender ID

Adds support for multiple scopes
SPFv1 MAIL FROM checks
SPFv2 MAIL FROM and Purported Responsible
Address (PRA) checks
Backward compatible with SPFv1
PRA checks make it easier for mailing lists and
SPF to coexist
Natively supported in Ex2003SP2/Ex2007

13
Purported Responsible Address

Which user/process most recently put the message
into the system?
Often the same as the initial sender
Mailing lists, forwarders change this
Uses message headers to determine address to
check
From
Sender
Resent-From
Resent-Sender
Perform the check on the PRAs domain

14
MAIL FROM vs. PRA
SUBMITTER extension to SMTP MAIL command allows
the sender to declare the PRA during MAIL FROM,
allowing the receiver to perform checks before
the DATA phase.
15
SPF/Sender ID interoperability

What people think will happen
Its backwards compatible so Ill only publish
a Classic SPF record
Sender ID implementations will do the right thing
What really happens
By design, Sender ID treats a bare vspf1 record
as the equivalent of spf2.0/mfrom,pra
No way to distinguish between Classic SPF
semantics and Sender ID semantics
Some additional mail may fail to be classified
the way the sender intended

16
SPF vs. Sender ID

Is performing PRA checks on vspf1 records really
so bad?
Probably not for 80-90 of email
Fixed with addition of a null spf2.0/pra record
Microsofts position for most domains, PRA and
MFROM are the same.
SPFs position Microsoft is forcing SPF
publishers to change their records to prevent bad
effects
SPF vs. Sender ID FAQ http//new.openspf.org/SPF_
vs_Sender_ID
SPF Community Position http//new.openspf.org/blo
bs/spf-community-position

17
SPF/Sender ID interoperability

What people think will happen
Its backwards compatible so Ill only publish
a Classic SPF record
Sender ID implementations will do the right thing
What really happens
By design, Sender ID treats a bare vspf1 record
as the equivalent of spf2.0/mfrom,pra
No way to distinguish between Classic SPF
semantics and Sender ID semantics
Some additional mail may fail to be classified
the way the sender intended

18
DemoCreating Classic SPF and Sender ID records
19
Exchange and Sender ID

Included in Exchange 2003 SP2 and Exchange 2007
Two modes of operation
As stand-alone to accept/reject messages
Markup to pass to IMF for scoring
This works even if your Exchange server is not
the edge mail server in your organization!

20
Exchange and Sender ID (continued)
21
DemoEnabling Sender ID in Exchange 2003 SP2
22
Exchange Sender ID gotchas

SUBMITTER is cool, right? Too bad its not
supported yet.
KB 910272 The Sender ID Filtering feature does
not work correctly in an Exchange Server 2003 SP2
server should be considered required
Combination of prefix and another domain listed
in record triggers bug
Server without hotfix can reject mail with proper
SPF record
Server without hotfix can accept mail without
proper SPF record

23
Questions?
24
Specifications

SMTP Service Extension for Indicating the
Responsible Submitter of an E-Mail Message (RFC
4405)http//www.ietf.org/rfc/rfc4405
Sender ID Authenticating E-mail (RFC
4406)http//www.ietf.org/rfc/rfc4406
Purported Responsible Address in E-Mail Messages
(RFC 4407)http//www.ietf.org/rfc/rfc4407
Sender Policy Framework Authorizing Use of
Domains in Mail From (RFC 4408)http//www.ietf.
org/rfc/rfc4408

25
Other Resources