Sunday, May 1, 2011

~all or –all; does it really make a difference?

Before we move further I suggest you to read the following post in advance Sender ID and Spoofing
Recently I’ve received a lot of concerns about sender ID filtering including configuration that are implemented correctly but aren’t taking effect and the differences between SPF record Pre’s,
So I decided to reveal the mystery between the SPF record Pre’s especially ~all and –all and the sender id filtering options.
Let’s start from sender id configuration prospective, it is very simple from exchange EMC as below

And from the Forefront Protection 2010 for Exchange as below
And now let’s take a simple straight forward SPF record where a company is sending mails from its MX records IP’s so their SPF record should be as below IN TXT "v=spf1 mx ~all"
OR IN TXT "v=spf1 mx -all"
But what is the difference between both? And what it has to do with the Sender ID filtering action options?
Actually there is two scenarios; one when the result of the filter is positive and the other one when it is negative
When the result is positive; whether you are using the tilde or the minus you should see the below Sender ID result in the message header.
But when the result is negative and you are using the tilde you will see the below Sender ID result in the message header
While when you are using the minus you should see the below Sender ID result in the message header
Ok I got it; the difference is when the test fails; with the tilde it will return SOFTFAIL while with the minus it will return FAIL; but what does it have to do with sender id filtering actions option?
The below figure will answer this question.
So the options available for the sender id to take on the mails are different according to the Sender ID status which means if your SPF is using the tilde while you set the Sender ID option to reject message nothing will happen and you will find yourself a victim to spoofing as with the tilde you can only stamp messages while with the minus you have all options.
This was only a glance on the relation between Sender ID options and SPF record Pre’s
See you soon , Hany Donia


Rolf E. Sonneveld said...

Hi, Hany,

excuse me if I read your last paragraph wrong, but it seems you're mixing up Sender ID for outbound and for inbound traffic.

1. The -all and ~all are defined by the owner of a domain, so for outbound mail you can advise the receiver of a message, which carries your domainname, what to do: reject or accept.

2. The Exchange Sender ID status and actions are used for inbound mail. The sender of the domain in the sender address advises you what to do and Exchange enables you to convert this advise into an action of your choice.

In the situation that a spammer is abusing your domain AND that mail is sent by the spammer to your Exchange server/domain, the two items come together and you can use the Exchange setting in combination with your Sender ID policy to accept or deny that particular type of spam.


R dot E dot Sonneveld at sonnection dot nl

Hany Donia said...

Hi Rolf;

I would like to thank you for your visit and valuable comment; actually we are both right as you are talking about spoofing other domains and I’m talking about spoofing your own domain; where your sender ID will check your own DNS settings and not others;

The test I’ve made is by creating a distribution list on another domain that contain a recipient from my domain; and when sending to that DL that mail will reach my domain as if it is a spoofing email as it is generated from another IP’s than my SPF record;

Thanks again and Happy New Year

Warm Regards ...
Hany Samir Donia