Thursday, December 3, 2009

Content Filtering Agent and Safe list Aggregation

Have you ever received a legitimate e-mail in your junk folder before?
I'm sure yes , and Probably you have added it to the safe sender list in order to get future e-mails from that sender in the inbox instead of the junk,

Select Tools > Option > References > Junk E-mail

You can find that there is more to adjust
  1. You can trust your contacts by checking the “Also trust e-mail from my Contacts” check box, which is checked by default,
  2. You can trust recipients you are mailing to by checking the “Automatically add people I e-mail to the Safe Sender List” check box.
Note: This data is stored in your mailbox with the limit of 3,072 unique entries in Microsoft Exchange Server 2007 Service Pack 1.

Well, this will work fine as long as the e-mail SCL “Spam Confidence Level “ didn’t reach the quarantine, reject or delete level according to your content filtering agent action section prosperities,

So is there any magical way to allow my content filter agent to see my safe sender list so it won’t process mail from that list and I’ll have all my legitimate mails?

Actually there is away, by running the Update-Safelist command from your mailbox server role on the required mailboxes you will add a replica from the safe sender list which exists on your mailbox to active directory database which will be replicated again using the edge sync to the Active Directory Application Mode (ADAM) instance on the Edge Transport server,

How to update my whole environment safe list?

you can copy the following script to a bat file and save it to your desired directory for instance the D:\
":\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -psconsolefile "d:\Program Files\Microsoft\Exchange Server\v14\bin\exshell.psc1" -command "get-mailbox
where {$_.RecipientType -eq [Microsoft.Exchange.Data.Directory.Recipient.RecipientType]::UserMailbox }

Also you can schedule this to run at your desired time for instance every Friday at 10:00 pm using the following
at 22:00 /every: F cmd /c "D:\SafeList.bat"

How to verify that Update-Safelist is working fine?

you can do so by checking any user account using Active Directory Service Interfaces (ADSI) Edit snap-in and finding the value set for the msExchSafeSendersHash attribute , if it was such as 0xac 0xbd 0x03 0xca, is present on the attribute, the user object was updated. If the attribute has a value of , the attribute was not updated

Safe list Aggregation benefits:

  1. Increasing the privacy of your mail environment as you will limit the number of quarantined emails which can be exposed by the exchange administrator or spam account administrator
  2. Decreasing the number of quarantined, rejected and deleted legitimate mails
  3. Increasing performance by excluding the time consumed by the content filtering to process the legitimate emails

Safelist Aggregation does and don’ts:


  1. Plan well for the Safelist Aggregation as by doing so you will add a considerable amount of data to your active directory to be replicated,
  2. Communicate this with your Active Directory administrator so both of you can come up with a good plan and schedule for the Update-Safelist command,
  3. Educate your users not to add senders domains to the sender safe list and only to add senders addresses,
  1.  Don’t use the Update-Safelist command with the Type parameter set to the SafeRecipients or Both values as this will add unnecessary data to your active directory which is the safe recipient list which won’t be processed by your content filtering agent by any mean and just run the Update-Safelist with the default Type parameter which is SafeSenders,
  2. Don’t run the Update-Safelist command during your working hours unless you will run it to very limited number of users.
Time for Microsoft talk

Safelist Aggregation Exchange 2007 Help
How to Configure Safelist Aggregation Exchange 2007 Help

See you soon , Hany Donia

Tuesday, December 1, 2009

Sender ID and Spoofing

What is Sender ID?

The Sender ID Framework is a protocol created to counter e-mail domain spoofing and to provide greater protection against phishing schemes by verifying an e-mail message's sender.

How Does Sender ID work?

Sender id works using the SPF records which are DNS records used to publish your authorized IP’s for sending mails from your domain,
So the first thing you want to do before enabling the sender ID filtering agent is to create SPF records for your domain , putting in this SPF records the IP’s that you are sending mails from
And here how it really works 
  1.  The sender transmits an e-mail message to the receiver.
  2. The receiver's inbound mail server receives the mail.
  3. The inbound server checks which domain claims to have sent the message, and checks the DNS for the SPF record of that domain. The inbound server determines if the sending e-mail server's IP address matches any of the IP addresses that are published in the SPF record.
  4. If the IP addresses match, the mail is authenticated and delivered to the receiver. If the addresses do not match, the mail fails authentication and is not delivered.
So is it that simple?
Well , actually not and let us discuss this in more details assuming that I’m working in a company called Donia dot com and my mail address is hany at Donia dot com and I already published my SPF records putting all the IP’s that I’m sending mails from

  1. A friend from another company sends me mail from friend at another company dot com,
  2. My edge servers(or hub transport according to your company design) will receive the mail ,
  3. sender ID filtering agent will query the (another company dot com) DNS asking for its SPF records, which leads me to one of two possibilities
    1. there is an SPF record for (another company dot com)
      1. If the IP I received the mail from one of the SPF records the message will be accepted.
      2. If the IP I received the mail from is not one of the SPF records the message will be stamped then deleted or rejected according to my settings.
    2. The is not SPF record for (another company dot com)
      1. The mail will be stamped and accepted.
Is not that weird that I’ll accept mails from domains that don’t have SPF records in place?
Actually no because if you’ll delete or reject the mail for the domain that doesn’t have published SPF records , you will end up rejecting or deleting 90 % if not more of your incoming mails as most of the companies doesn’t have SPF records and that is why I told you that the “first thing you want to do before enabling the sender ID filtering agent is to create SPF records for your domain , putting in this SPF records the IP’s that you are sending mails from” so you can stop receiving mails from senders spoofing your own domain. And here is the table of Sender ID Results and Actions.

 Sender ID benefits

  1. If your company have its SPF records setup then you will stop receiving the mails that spoof your own domain, 
  2. You will also stop receiving spoofing mail for other companies if they have their SPF records available that is why it is very important to communicate that with all the companies that you are dealing with in order to setup their SPF records,
  3. Nobody can spoof your domain to accompany that have the sender ID filtering enabled.
 Sender ID issues

Issues here we come , Actually it is just one issue that I faced so far and it is a very rare situation when there is a distribution group in another company that contains users one or more users from your company, when a person at your company sends mail to this distribution group at the other company , the other company will accept the message and it will send it to all the recipients in that distribution group , so users from your company that are members of that group will receive the mail but wait a minute they will receive it from the other company sending mail address not one of your SPF records , which means according to your setting that mail will be rejected or deleted.

How to know if my company (or any other companies) have an SPF records in place or not?

  1. Manual using the NSLOOKUP , open CMD > NSLOOKUP > set q=txt > Donia dot com> you will have the result
  2. Wizard using the Sender ID Framework SPF Record Wizard. 

    How to create SPF record?

You can use The SPF Setup Wizard

Time for Microsoft talk

  1. Fighting spam and phishing with Sender ID
  2. Sender ID White Paper - Microsoft Corp.
I hope my first contribution was good enough and see you soon , Hany Donia