Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2006-08-02
The Sender ID agent is an anti-spam agent that is enabled on computers that have the Microsoft Exchange Server 2007 Edge Transport server role installed. The Sender ID agent relies on the RECEIVED Simple Mail Transfer Protocol (SMTP) header and a query to the sending system's domain name system (DNS) service to determine what action, if any, to take on an inbound message.
When you configure anti-spam agents on an Edge Transport server, the agents act on messages cumulatively to reduce the number of unsolicited e-mail messages that enter the organization. For more information about how to plan and deploy the anti-spam agents, see Anti-Spam and Antivirus Functionality.
Sender ID is intended to combat the impersonation of a sender and a domain, a practice that is frequently called spoofing. A spoofed mail is an e-mail message that has a sending address that was modified to appear as if it originates from a sender other than the actual sender of the message.
Spoofed mails typically contain a From: address that purports to be from a certain organization. In the past, it was relatively easy to spoof the From: address, in both the SMTP session, such as the MAIL FROM: header, and in the RFC 822 message data, such as From: "Masato Kawai" firstname.lastname@example.org, because the headers were not validated.
In Exchange Server 2007, Sender ID makes spoofing more difficult. When you enable Sender ID, each message contains a Sender ID status in the metadata of the message. When an e-mail message is received, the Edge Transport server queries the sender's DNS server to verify that the IP address from which the message was received is authorized to send messages for the domain that is specified in the message headers. The IP address of the authorized sending server is referred to as the purported responsible address (PRA).
Domain administrators publish sender policy framework (SPF) records on their DNS servers. SPF records identify authorized outbound e-mail servers. If an SPF record is configured on the sender's DNS server, the Edge Transport server parses the SPF record and determines whether the IP address from which the message was received is authorized to send e-mail on behalf of the domain that is specified in the message. For more information about what an SPF record contains and how to create an SPF record, see Sender ID.
The Edge Transport server updates the message metadata with the Sender ID status based on the SPF record. After the Edge Transport server updates the message metadata, the Edge Transport server delivers the message as it ordinarily would.
The Sender ID evaluation process generates a Sender ID status for the message. The Sender ID status is used to evaluate the SCL rating for the message. This status can be set to one of the following seven values:
Pass The IP address for the PRA is in the permitted set.
Neutral Published Sender ID data is explicitly inconclusive.
Soft fail The IP address for the PRA may be in the not permitted set.
Fail The IP address for the PRA is in the not permitted set.
None There is no published data in DNS.
TempError There is a transient error, such as an unavailable DNS server.
PermError There is an unrecoverable error, such as an error in the record format.
The Sender ID status is added to the message metadata and is later converted to a MAPI property. The Junk E-mail filter in Microsoft Office Outlook uses the MAPI property during the generation of the spam confidence level (SCL) value.
Outlook neither displays the Sender ID status nor necessarily flags a message as junk at certain Sender ID values. Outlook uses the Sender ID status value only during the calculation of the SCL value.
Besides the seven scenarios that generate the Sender ID statuses, the Sender ID evaluation process may reveal instances where the From: IP address is missing. If the From: IP address is missing, the Sender ID status cannot be set. If the Sender ID status cannot be set, Exchange Server continues to process the message without including a Sender ID status on the message. The message is not discarded or rejected. In this scenario, Sender ID status is not set, and an application event is logged.
For more information about how the Sender ID status is displayed in messages, see Anti-Spam Stamps.
You can also define how the Edge Transport server handles messages that are identified as spoofed mail and how the Edge Transport server handles messages when a DNS server cannot be reached. The options for how the Edge Transport server handles spoofed mail and unreachable DNS servers include the following actions:
Stamp the status This option is the default action. All inbound messages to your organization have the Sender ID status included in the metadata of the message.
Reject This option rejects the message and sends an SMTP error response to the sending server. The SMTP error response is a 5xx level protocol response with text that corresponds to the Sender ID status.
Delete This option deletes the message without informing the sending system of the deletion. In fact, the Edge Transport server sends a fake "OK" SMTP command to the sending server and then deletes the message. Because the sending server assumes the message was sent, it does not retry sending the message in the same session.
For more information about how to configure the Sender ID agent, see Configuring Sender ID.