Microsoft Exchange EDGE Forefront – SPF/SenderID and blocking non-existing domains

Mission : I want to simply block emails from non-existing domains

Mission Example : Pls block emails coming from ILoveMessi@BarcelonaWillWinClassico.com because this domain does not exist

Tools : Microsoft EDGE / Forefront for Exchange 2010

Solution

Go to your Edge Server, open Exchange PowerShell and run :

Set-SenderIdConfig -SpoofedDomainAction reject

Do this for all your edge servers.

If you have Exchange Forefront installed on the same box as EDGE, then open the AntiSpam configuration, go to SenderID section, and choose (Enable SenderID filtering) and (Reject) as an action

 

 

Theory If interested

I will assume you have little to no idea about SPF and SenderID, so if you already know about it, skip this section please.

Simply speaking, when an email is sent from external party to your EDGE/ Forefront , the Edge will try to do connection filtering, reputation test,etc , and then the EDGE will try to perform SenderID checks. Part of the SenderID checks is the SPF check.

SPF_SenderID_464645645

 

SPF in a simple words is a record that you put in your public DNS to tell the whole word the following ( I AM CONTOSO COMPANY, MY PUBLIC IP(s) THAT EMAILS ARE SENT FROM ARE THOSE, IF YOU RECEIVE EMAILS FROM MY DOMAIN AND NOT ORIGINATING FROM THOSE IPS, THEN DO THE FOLLOWING PLEASE…)

This is what will happen when someone sends email to Fabrikan corporate from @contoso.com :

  1. A sender sends email from his machine with sender email sender@contoso.com and the email goes to Fabrikan corporate EDGE servers. The sender email appears to come from the public IP 51.51.51.51.
  2. Fabrikan Edge will perform couple of tests including the SenderID tests. One of the SenderID test is the SPF test. So the Fabrikan Edge servers will contact Contoso public DNS server asking for SPF validation (its like : HEY Contoso DNS, i received email from your SMTP domain originating from 51.51.51.51, What is your reply?)
  3. Contoso public DNS will reply to this SPF query with one of the following answers :

SPF_senderID_232342

4.  According to the SPF result, the EDGE will query its configuration to see how to act accordingly. For example, if the SPF result is Fail, the Edge administrator can configure a reject message action. Or may be instead of rejecting, the EDGE can stamp the message header with the SPF check result so that the end user junk filter can decide what to do with it.

 

You can check out the SenderID configuration from Microsoft Exchange PowerShell on the EDGE server  by running Get-SenderIDConfig. By default, the SpoofedDomainAction is not set to reject.

SPF_SenderID_4asdasda

 

If you have Forefront installed on your EDGE, then you can open the AntiSpam configuration , and you will find a SenderID section. by default, the setting is set to Stamp header and Continue processing. This settings maps directly to the (Spoofed Email Action) setting in the Get-SenderIDConfig PowerShell Command output. Both settings controls what action should be done upon SFP Result = FAILED

 

SPF_Forefront_Settings_298572

Important note : Note that SPF returns many result types (FAIL, SOFTFAIL,…..), but EDGE/Forefront only gives us the option to act upon FAIL SPF result.

For all other SPF results, the action is stamp in header and continue processing. The below figure shows how stamping looks like when for example spoofing hotmail IP. As you can see, hotmail SPF check result is (SOFTFAIL) and EDGE/Forefront will only stamp the message and deliver it. As much as i know, this behavior cannot be changed

SPF_Senderid_$343434343

 

Hint

Microsoft Exchange PowerShell on Edge servers provides us with easy way to simulate SPF checks. The below screen shots shows different simulations with different SPF checks:

SPF_Pass_43593843

 

SPF_PError_632463463

SPF_softFail_2352342523

SPF_Fail1

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s