Ramblings from another nerd on the grid
You may have started to hear rumblings about the Sender ID Framework (SIDF). The SIDF technology takes another step towards curtailing spam and phishing. If your Inbox is anything like mine, it regularly receives a considerable amount of unwanted and offensive email. So how in the world do you block this stuff? Hopefully you are already using the IMF, RBL and client technologies. Lets take look at the emerging technologies in the Sender ID Framework and the enhancements to Exchange Server 2003.
The first thing you’ll want to do is download the Exchange Server 2003 SP2 Customer Technology Preview (CTP). This preview is for testing purposes and should not be used in production. You might consider Microsoft Virtual PC 2004 or Microsoft Virtual Server 2005 as your VM testing tools. Undo is your friend… We’ll get to installing and looking at the Exchange stuff later in this post.
Domain Name Service (DNS) and the Sender Policy Framework (SPF)
The first thing you need to realize, it that DNS is a core component to the framework. You’ll need to create some policy records in DNS to implement the authorisation aspects of the policy. The record(s) are called Sender Policy Framework (SPF). Since you are authoritative for your DNS zone, email systems are going to query the authoritative DNS Name Server for your zone and check for those policy records. We’ll get to the email systems in a few minutes so hang on.
Sender ID works in a three-step process.
Fortunately, there are several tools on the internet that will help you create and format the SPF records and implement them on your DNS server, or request that they be implemented on your ISP’s DNS servers. Microsoft has a wizard at http://www.anti-spamtools.org/SenderIDEmailPolicyTool/Default.aspx. You’ll also find another tool at http://spf.pobox.com/.
Lets take a look at an example for our favorite demo domain, contoso.com. In the Microsoft tool, we said that “Domain's inbound servers may send mail”, “All addresses listed in A records may send mail”, “All PTR records resolve to outbound email servers”, “No; this domain sends mail only from the IP addresses identified above.” and “Both” for the scope of the identities to validate.
This is what was generated:
v=spf1 a mx ptr -all
Ok, does everyone have their decoder ring handy? As usual, we have something that’s easy for computers to deal with but difficult for us mere mortals. No fear, we can download and review the draft documentation and pick the string apart to see what it means if we like. In the docs, you’ll learn about mechanisms, modifiers and redirection. For those of you that host several domains from a single server or have other complex DNS, web and email requirements, review the specifications carefully. Our wizard handles many cases but you’ll likely need to make some manual changes.
After we get this string, we need to add it to DNS. Easy! In Windows Server 2003, fire up the DNS management console and go to the forward lookup zone for the domain you want to add the record to. Right click the domain name and select the “Other New Records” context menu item. You’ll see the following dialog box and you’ll need to scroll down to the Text (TXT) record type (see screen shot).
Click the Create Record button and you’ll be presented with the following dialog box.
As you can see, all you need to do is paste the contents of the string into the Text: block area and click OK to save. If you go back and look at the properties for this record, it will look like the following screen shot.
Now that we have DNS implemented, you’ll probably want to test things. Port25 Solutions has created an automated testing tool to verify your Sender ID implementation. To use the tool, send an e-mail message to firstname.lastname@example.org. In return, you receive a reply containing an analysis of the authentication status of the message you sent.
Wait a second, we haven’t done anything with Exchange Server 2003 SP2!!!
Microsoft Exchange Server 2003 SP2 CTP Sender ID Feature
Like I mentioned before, download the Exchange SP2 CTP. Run E3SP2ENG.EXE and unpack the contents. Review the release notes, please. As usual, you’ll find update.exe sitting in the setup\i386 area. Update your test Exchange server.
After installation is complete, go to your Orgs Global Settings | Message Delivery properties (as shown in the following screen shot).
You are probably already familiar with some of the tab pages for Connection, Recipient and Intelligent Message filtering. Like those settings, you’ll want to set some globals, but apply those settings to one or more of your protocol virtual servers.
Click the Sender ID Filtering tab. As you can see, we have some pretty interesting choices. Although Delete is selected in the screen shot, I’m leaning towards the Reject option for my domains. This prevents email that doesn’t pass the Sender ID test from ever being sent to my server. I like the idea of preventing all those .zip, .scr, .cmd and other attachments from ever touching my hard drives.
Each of the Sender ID validation actions have value. You might decide to accept the connection and receive the email then later process the email (strip attachments, re-route, etc.).
Or you may decide to accept the connection, receive the message but immediately delete it, but never tell the sender what you did with the message. No NDR in this case seems like an invitation to continue sending email to me.
Or you may just reject the message. This will certainly stick it in the face of the sender.
Pick the option that makes the most sense for your organisation and click OK to save the change.
Now that we have the global setting implemented, we need to go apply the filtering to the appropriate protocol server. For small and medium organisations, this will most likely be the Default SMTP Virtual Server. In larger organisations that have multiple SMTP virtual servers, you’ll want to apply the filtering on the virtual servers handling inbound connections.
Go to the Servers | <server name> | Protocols | SMTP container and expand it. Right mouse click “Default SMTP Virtual Server” and select the Properties menu item. Click the Advanced button next to the IP Address: field. Highlight the appropriate ip address and click the Edit button. You should see the following dialog box:
As you can see, I am using all IP addresses for my puny VM instance and have applied Recipient filters, IMF Filters and Sender ID filters.
Now that we have this implemented on our SMTP server, it’s going to use the extension of the SMTP protocol called “Responsible Submitter”.
Sending SMTP servers (Exchange in this case) will stamp outgoing messages with the “purported responsible address” and include this address in a new header field called “SUBMITTER”. If this field is present and recognised by a receiving SMTP server (like our SP2 CTP SMTP server), it will do those fun little DNS lookups and validate the responsible address using the DNS SPF RR records.
If the SPF RR lookup fails, Exchange will handle the SMTP MAIL command stream in the manner you specified in the Global settings above.
Have some fun with this!!! I’ll probably post some telnet sessions of this in action later.
For More Information
For more information on all of this, keep an eye on the Exchange Server 2003 website, our webcast area, and Harold Wong’s blog. Harold is kicking off a ten part webcast series in October on Exchange Server 2003 SP2 and beyond. It isn’t advertised yet, but it is definitely coming.
You’ll also want to bookmark http://www.microsoft.com/mscorp/safety/technologies/senderid/default.mspx and some of the resources on that site.
I had lots of fun yesterday at my San Antonio SQL Server 2005 seminar. During the demos, while doing backups and other processing intensive tasks, I gave up some performance to run a few funny videos. You can see the videos at http://escapeyesterworld.com/. They are a riot.
Here’s a look at the desktop I used for the demos. This freaked a few people out. Can you tell what OS I’m running? If you need a closer look, click the pic and a larger image will get loaded.
Have you managed to stumble across the Windows OneCare product website? This is an interesting new product currently in beta. As you can see on the website, the product will have antivirus, firewall, PC maintenance, data backup and restore functionality.
Wow!!! Now that sounds totally cool to me. It wouldn’t bother me a bit to get rid of my current antivirus product. I seem to have issues getting virus signature updates from the vendors FTP server. Grrrrr.
How many of you are doing backups regularly? I’d guess the percentage of people that actually backup their computer is in the single digits. Ever done a restore? Sure you have…
I’m in the habit of backing up and creating images for all my machines pretty regularly. I take a snapshot of my wife’s machine weekly. I do my machines every two weeks.
Hard drive paranoia is a good thing for a Microsoft Evangelist. If one of my laptop hard drives has a catastrophic failure, my audience will get a nice little 10 minute break but we won’t have to cancel an event. I hit the road with duplicates of everything. Anyway, I digressed from the original topic.
Go to http://beta.windowsonecare.com/betaentry.aspx and see the instructions for Beta signup. Checkout the Getting Started area at http://beta.windowsonecare.com/members/getstarted.aspx. It has screenshots of what to expect.
How many of you need network access wherever you go? Do you really NEED it, or would it just be nice? As a Microsoft evangelist, information is a core component of my daily life. It’s bewildering how much news gets generated each day. The members of my team are asked questions frequently. Wouldn’t it be nice to get the answer NOW and not in a few days when we get home and can check our email after another week of travel?
Well, the time has come and I have begun changing the way I work. For instance, in today’s seminar I was able to look up information before, during and after my show. No, I didn’t just happen to have a WIFI hotspot near by. No, the theatre didn’t happen to have live connectivity for my room.
Instead, I had a spiffy new wireless card for my laptop that uses the Verizon Wireless EVDO network. This is not your ordinary wireless connection although we’ll all consider it ordinary in the next few years. You might recall I mentioned I was making the plunge. The EVDO network I’m using is capable of 1.5meg+ speeds. I’m actually averaging about 700–800k (download) on the connections I’m making. I’ve seen it burst up to 1.4meg. That’s actually pretty good. Think of this as taking your broadband connection on the road with you.
The possibilities are endless. Today I used the Microsoft World Wide Event (WWE) application to download, update and upload event registration data. The application runs on a Symbol PDA using Pocket PC 2003 and talks to a web service out on the internet. Since I don’t have a PCMCIA card slot for the Symbol unit, it was tethered to my laptop via a USB cable and using ActiveSync pass-through.
As wireless technologies move forward and cell systems are upgraded, high speed access will become common for PDA’s, laptops and other devices. Pervasive high speed networking is going to change the business environment for sure. I couldn’t wait any longer and I can already see it’s going to next “killer app” for calendar year 2005 and beyond. I know, it isn’t an app, but you catch my drift.
Tested the speed from your cell phone or PDA? Try testing your internet connection at http://testmy.net. No cheating. You are not allowed to post the results from a WIFI hotspot.
Here’s an EVDO test result from my hotel room in Austin, Texas.
:::.. Download Stats ..:::Connection is:: 1025 Kbps about 1 Mbps (tested with 748 kB)Download Speed is:: 125 kB/sTested From:: http://testmy.net/ (server1)Test Time:: Tue Aug 16 23:06:31 CDT 2005 Bottom Line:: 18X faster than 56K 1MB download in 8.19 sec Diagnosis: May need help : running at only 65.75 % of your hosts average (myvzw.com) Validation Link:: http://testmy.net/stats/id-RTFM03J7W
Release Date: August 16th, 2005
Products: Adobe Reader 5.1, 6.0-6.0.3, 7.0-7.0.2, Adobe Acrobat 5.0-5.0.5, 6.0-6.0.3, 7.0-7.0.2
Platform : Windows, Mac OS, Linux, Solaris
Vulnerability Identifier: CVE-2005-2470
Overview: Adobe has discovered a buffer overflow in Adobe Acrobat and Adobe Reader. This issue has been addressed and a product update is available to proactively mitigate potential malicious activity. Adobe always recommends that users keep their systems up to date, and install the latest update of these applications.
Effect: If the vulnerability were successfully exploited, the application could crash with an increased risk of arbitrary code execution.
Details: The identified vulnerability is a buffer overflow within a core application plug-in, which is part of Adobe Acrobat and Adobe Reader. If a malicious file were opened it could trigger a buffer overflow as the file is being loaded into Adobe Acrobat and Adobe Reader. A buffer overflow can cause the application to crash and increase the risk of malicious code execution.
Adobe Reader on Windows or Mac OS:
-- For version 7.0-7.0.2, users should utilize the product's automatic update facility. The default installation configuration runs automatic updates on a regular schedule, and can be manually activated by choosing Help > Check For Updates Now. Alternatively, the 7.0.3 update files can also be manually downloaded and installed from: www.adobe.com/support/downloads .
-- For versions prior to 7.0, Adobe strongly recommends upgrading to Adobe Reader 7.0.3, available from the following site along with the update procedure described above. www.adobe.com/products/acrobat/readstep2.html
The remainder of the advisory is located at http://www.adobe.com/support/techdocs/321644.html