Sender ID Filtering

Sender ID Filtering

If the message still contains valid recipients after recipient filtering has been applied, Exchange Server 2007 runs Sender ID filtering (SIDF). First, the Sender ID agent determines the Purported Responsible Address (PRA) of the message using the algorithm described in RFC 4407. This step is required to accurately identify the message's sender. The PRA is an SMTP address, such as kim@contoso.com. The Sender ID agent then performs a DNS lookup against the domain part of the PRA. If that domain has published a sender policy framework (SPF) record, the agent uses the SPF record to evaluate the message according to the specification for RFC 4408. The result of the evaluation is stamped on the message in the anti-spam stamp. If that domain does not have a published SPF record, the Sender ID agent stamps a Sender ID result of "None" on the message.

Some industry surveys indicate that over 95 percent of phishing scams come from spoofed domains and have spoofed sender e-mail addresses. This is where SIDF makes a huge difference with regard to anti-spam processing.

Sender ID seeks to verify that every e-mail message originates from the Internet domain from which it claims to have been sent. This is accomplished by checking the address of the server sending the e-mail against a registered list of servers that the domain owner has authorized to send e-mail. Verification is performed automatically by the Internet service provider (ISP) or the recipient's mail server before the message is delivered to the user's Inbox.

Note that Sender ID, or any other authentication mechanism, does not replace content filtering systems. SIDF does not scan actual message content. Instead, authentication notifies the inbound mail system of whether the message can be validated as coming from the claimed sender. Because most spam and phishing exploits do not actually come from the domain shown, this approach can help automatically identify these messages and separate them from the incoming mail stream. Within SIDF, the SPF record provides a simple text record of all outbound mail servers associated with a domain, along with their respective IP addresses. An organization publishes the SPF record to its DNS server zone file, which is then checked by recipient mail servers.

Setting up an SPF record is fast, easy, and free. The Sender ID Framework SPF Record Wizard provides a step-by-step process for surveying a domain's mail servers and creating customized records ready for posting. (Details on publishing an SPF record are available at Sender ID. The wizard can be accessed directly at Sender ID Framework SPF Record Wizard.) The receiving SMTP mail server pings the domain's zone file in the DNS for the existence of an SPF record. Once found, the IP address of the sending server is checked against the IP addresses listed. If there's a match, the message is validated as authentic. If, on the other hand, the SPF record on the sender's domain does not match the IP address the message came from, it fails, resulting in a negative score and potential placement in the junk mail folder.

If the sender's DNS is from a blocked domain or a blocked address, the following actions may be taken depending on your configuration of Sender ID actions:

• Reject message - If the Sender ID action is set to Reject Message, Exchange rejects the message and sends an SMTP error response to the sending server. The SMTP error response is a 5xx level protocol response with text that corresponds to the Sender ID status.
• Delete message - If the Sender ID action is set to Delete Message, Exchange deletes the message without informing the sending server of the deletion. In fact, the computer that has the Edge Transport server role installed sends a fake "OK" SMTP command to the sending server and then deletes the message. Because the sending server assumes that the message was sent, the sending server will not retry sending the message in the same session.
• Stamp message with Sender ID result and continue processing - Exchange stamps the message with the Sender ID result and continues processing the message. This metadata is evaluated by the Content Filter agent when a SCL is calculated. Additionally, sender reputation uses the message metadata when it calculates a sender reputation level for the sender of the message.