Tuesday, December 1, 2009

Sender ID and Spoofing

What is Sender ID?

The Sender ID Framework is a protocol created to counter e-mail domain spoofing and to provide greater protection against phishing schemes by verifying an e-mail message's sender.

How Does Sender ID work?

Sender id works using the SPF records which are DNS records used to publish your authorized IP’s for sending mails from your domain,
So the first thing you want to do before enabling the sender ID filtering agent is to create SPF records for your domain , putting in this SPF records the IP’s that you are sending mails from
And here how it really works 
  1.  The sender transmits an e-mail message to the receiver.
  2. The receiver's inbound mail server receives the mail.
  3. The inbound server checks which domain claims to have sent the message, and checks the DNS for the SPF record of that domain. The inbound server determines if the sending e-mail server's IP address matches any of the IP addresses that are published in the SPF record.
  4. If the IP addresses match, the mail is authenticated and delivered to the receiver. If the addresses do not match, the mail fails authentication and is not delivered.
So is it that simple?
Well , actually not and let us discuss this in more details assuming that I’m working in a company called Donia dot com and my mail address is hany at Donia dot com and I already published my SPF records putting all the IP’s that I’m sending mails from

  1. A friend from another company sends me mail from friend at another company dot com,
  2. My edge servers(or hub transport according to your company design) will receive the mail ,
  3. sender ID filtering agent will query the (another company dot com) DNS asking for its SPF records, which leads me to one of two possibilities
    1. there is an SPF record for (another company dot com)
      1. If the IP I received the mail from one of the SPF records the message will be accepted.
      2. If the IP I received the mail from is not one of the SPF records the message will be stamped then deleted or rejected according to my settings.
    2. The is not SPF record for (another company dot com)
      1. The mail will be stamped and accepted.
Is not that weird that I’ll accept mails from domains that don’t have SPF records in place?
Actually no because if you’ll delete or reject the mail for the domain that doesn’t have published SPF records , you will end up rejecting or deleting 90 % if not more of your incoming mails as most of the companies doesn’t have SPF records and that is why I told you that the “first thing you want to do before enabling the sender ID filtering agent is to create SPF records for your domain , putting in this SPF records the IP’s that you are sending mails from” so you can stop receiving mails from senders spoofing your own domain. And here is the table of Sender ID Results and Actions.

 Sender ID benefits

  1. If your company have its SPF records setup then you will stop receiving the mails that spoof your own domain, 
  2. You will also stop receiving spoofing mail for other companies if they have their SPF records available that is why it is very important to communicate that with all the companies that you are dealing with in order to setup their SPF records,
  3. Nobody can spoof your domain to accompany that have the sender ID filtering enabled.
 Sender ID issues

Issues here we come , Actually it is just one issue that I faced so far and it is a very rare situation when there is a distribution group in another company that contains users one or more users from your company, when a person at your company sends mail to this distribution group at the other company , the other company will accept the message and it will send it to all the recipients in that distribution group , so users from your company that are members of that group will receive the mail but wait a minute they will receive it from the other company sending mail address not one of your SPF records , which means according to your setting that mail will be rejected or deleted.

How to know if my company (or any other companies) have an SPF records in place or not?

  1. Manual using the NSLOOKUP , open CMD > NSLOOKUP > set q=txt > Donia dot com> you will have the result
  2. Wizard using the Sender ID Framework SPF Record Wizard. 

    How to create SPF record?

You can use The SPF Setup Wizard

Time for Microsoft talk

  1. Fighting spam and phishing with Sender ID
  2. Sender ID White Paper - Microsoft Corp.
I hope my first contribution was good enough and see you soon , Hany Donia