Exchange 2003/2007: how to apply Sender-ID check to HELO/EHLO

P

Pete

Hello.

I am looking for ways to use more thoroughly the SPF/Sender-ID

checking functionality in Exchange (tips for Exchange 2003 and also

2007 are welcome).

In the Linux world, using the "policyd-spf-perl" perl library and

scripts, I know the SPF checks are applied to the MAIL-FROM and the

HELO/EHLO string.

However, in my tests I've only been able to get the Exchange 2003 and

2007 Sender-ID checks to operate on the MIME-FROM address. That is

fine and dandy, but I would like to also apply these checks to at

least the HELO/EHLO string. I do understand that the difference

between SPF and Sender-ID is that the former operates on MAIL-FROM and

the later does on MIME-FROM (a.k.a. "PRA" in Microsoft lingo), but why

can not I use the Exchange Sender-ID check functionality to check the

HELO/EHLO string? Is it perhaps configurable with some registry key?

Am I missing something here?

I know some spammers are connecting to my Exchange server and they are

sending an EHLO string with my domain name. I would like to stop these

connection attempts right there with a SPF/Sender-ID check, but I

cannot find how to do it in Exchange.

Thanks for reading.

-Pete.
 
A

Alexander Zammit [MVP]

As far as I know:

1. There is no way to customize the Exchange implementation of Sender ID.

2. MS determines the PRA as specified here:

http://www.ietf.org/rfc/rfc4407.txt

So it is not correct to say that PRA=MIME From header

Alexander Zammit

WinDeveloper Software

IMF Tune - Enable the Exchange 2003 IMF/Exchange 2007 Content Filter to

unleash its full power.

http://www.windeveloper.com/imftune/

"Pete" <usenet@naleco.com> wrote in message

news:2bcea3fa-3a66-4867-a527-6f77dffdc96a@k1g2000yqf.googlegroups.com...
> Hello.

> I am looking for ways to use more thoroughly the SPF/Sender-ID
> checking functionality in Exchange (tips for Exchange 2003 and also
> 2007 are welcome).

> In the Linux world, using the "policyd-spf-perl" perl library and
> scripts, I know the SPF checks are applied to the MAIL-FROM and the
> HELO/EHLO string.

> However, in my tests I've only been able to get the Exchange 2003 and
> 2007 Sender-ID checks to operate on the MIME-FROM address. That is
> fine and dandy, but I would like to also apply these checks to at
> least the HELO/EHLO string. I do understand that the difference
> between SPF and Sender-ID is that the former operates on MAIL-FROM and
> the later does on MIME-FROM (a.k.a. "PRA" in Microsoft lingo), but why
> can not I use the Exchange Sender-ID check functionality to check the
> HELO/EHLO string? Is it perhaps configurable with some registry key?
> Am I missing something here?

> I know some spammers are connecting to my Exchange server and they are
> sending an EHLO string with my domain name. I would like to stop these
> connection attempts right there with a SPF/Sender-ID check, but I
> cannot find how to do it in Exchange.

> Thanks for reading.

> -Pete.
 
P

Pete

You are right.

In any case, SPF operates on the email envelope, while Sender-ID

operates in email headers.

So I guess that because at the HELO/EHLO stage the email headers have

not yet been presented to the receiving MTA, the Sender-ID

implementation of Exchange cannot be made to validate the HELO/EHLO

string with the Sender-ID mechanism.

Bummer!

On 23 jul, 23:21, "Alexander Zammit [MVP]" <alex@respond_to_group
wrote:
> As far as I know:
> 1. There is no way to customize the Exchange implementation of Sender ID.

> 2. MS determines the PRA as specified here:http://www.ietf.org/rfc/rfc4407.txt

> So it is not correct to say that PRA=MIME From header

> > Alexander Zammit
> WinDeveloper Software
> IMF Tune - Enable the Exchange 2003 IMF/Exchange 2007 Content Filter to
> unleash its full power.http://www.windeveloper.com/imftune/

> "Pete" <use...@naleco.com> wrote in message

> news:2bcea3fa-3a66-4867-a527-6f77dffdc96a@k1g2000yqf.googlegroups.com...
>
> > Hello.

>
> > I am looking for ways to use more thoroughly the SPF/Sender-ID
> > checking functionality in Exchange (tips for Exchange 2003 and also
> > 2007 are welcome).

>
> > In the Linux world, using the "policyd-spf-perl" perl library and
> > scripts, I know the SPF checks are applied to the MAIL-FROM and the
> > HELO/EHLO string.

>
> > However, in my tests I've only been able to get the Exchange 2003 and
> > 2007 Sender-ID checks to operate on the MIME-FROM address. That is
> > fine and dandy, but I would like to also apply these checks to at
> > least the HELO/EHLO string. I do understand that the difference
> > between SPF and Sender-ID is that the former operates on MAIL-FROM and
> > the later does on MIME-FROM (a.k.a. "PRA" in Microsoft lingo), but why
> > can not I use the Exchange Sender-ID check functionality to check the
> > HELO/EHLO string? Is it perhaps configurable with some registry key?
> > Am I missing something here?

>
> > I know some spammers are connecting to my Exchange server and they are
> > sending an EHLO string with my domain name. I would like to stop these
> > connection attempts right there with a SPF/Sender-ID check, but I
> > cannot find how to do it in Exchange.

>
> > Thanks for reading.

>
> > -Pete.
 
R

Rich Matheisen [MVP]

On Fri, 24 Jul 2009 02:24:26 -0700 (PDT), Pete <usenet@naleco.com
wrote:


> You are right.

> In any case, SPF operates on the email envelope, while Sender-ID
> operates in email headers.

> So I guess that because at the HELO/EHLO stage the email headers have
> not yet been presented to the receiving MTA, the Sender-ID
> implementation of Exchange cannot be made to validate the HELO/EHLO
> string with the Sender-ID mechanism.


IIRC, the E2K7 Edge server does some checking on the data presented in

the HELO\EHLO command.

-
Rich Matheisen

 
P

Pepe

Rich Matheisen [MVP] wrote:
> On Fri, 24 Jul 2009 02:24:26 -0700 (PDT), Pete <usenet@naleco.com
> wrote:
>
> >In any case, SPF operates on the email envelope, while Sender-ID
> >operates in email headers.
>

>>So I guess that because at the HELO/EHLO stage the email headers have
> >not yet been presented to the receiving MTA, the Sender-ID
> >implementation of Exchange cannot be made to validate the HELO/EHLO
> >string with the Sender-ID mechanism.


> IIRC, the E2K7 Edge server does some checking on the data presented in
> the HELO\EHLO command.


That's interesting.

Do you know if that HELO/EHLO checking in Ex2k7 Edge is in any way

configurable? Or what does it check, and whether is it on by default?
 
R

Rich Matheisen [MVP]

On Mon, 27 Jul 2009 21:11:56 +0200, Pepe <pepe@naleco.com> wrote:


> Rich Matheisen [MVP] wrote:
> > On Fri, 24 Jul 2009 02:24:26 -0700 (PDT), Pete <usenet@naleco.com
>> wrote:
> >
> >>In any case, SPF operates on the email envelope, while Sender-ID
> >>operates in email headers.
> >
>>>So I guess that because at the HELO/EHLO stage the email headers have
> >>not yet been presented to the receiving MTA, the Sender-ID
> >>implementation of Exchange cannot be made to validate the HELO/EHLO
> >>string with the Sender-ID mechanism.

>

>> IIRC, the E2K7 Edge server does some checking on the data presented in
> > the HELO\EHLO command.


> That's interesting.

> Do you know if that HELO/EHLO checking in Ex2k7 Edge is in any way
> configurable? Or what does it check, and whether is it on by default?


It's not configurable but, if you're not adverse to dropping a couple

hundred bucks, check out http://www.vamsoft.com.

Put ORF in front of the Exchange stuff (in terms of agent priority,

not necessarily on another server) and you can set up your own set of

criteria for HELO\EHLO, DNSBL, etc. As an added benefit you also get

SURBL scanning and a pretty decent set of reports.

-
Rich Matheisen

 
A

Alexander Zammit [MVP]

Of course Exchange also provides RBL support @ connection filtering

out-of-the-box

Alexander Zammit

WinDeveloper Software

IMF Tune - Enable the Exchange 2003 IMF/Exchange 2007 Content Filter to

unleash its full power.

http://www.windeveloper.com/imftune/

"Rich Matheisen [MVP]" <richnews@rmcons.com.NOSPAM.COM> wrote in message

news:elhs651s4e5j5hkvlag08a8kjpptjio7gu@4ax.com...
> On Mon, 27 Jul 2009 21:11:56 +0200, Pepe <pepe@naleco.com> wrote:
>
> >Rich Matheisen [MVP] wrote:
> >> On Fri, 24 Jul 2009 02:24:26 -0700 (PDT), Pete <usenet@naleco.com
>>> wrote:
> >
>>>>In any case, SPF operates on the email envelope, while Sender-ID
> >>>operates in email headers.
> >>
>>>>So I guess that because at the HELO/EHLO stage the email headers have
> >>>not yet been presented to the receiving MTA, the Sender-ID
> >>>implementation of Exchange cannot be made to validate the HELO/EHLO
> >>>string with the Sender-ID mechanism.
> >
>>> IIRC, the E2K7 Edge server does some checking on the data presented in
> >> the HELO\EHLO command.

>

>>That's interesting.
>

>>Do you know if that HELO/EHLO checking in Ex2k7 Edge is in any way
> >configurable? Or what does it check, and whether is it on by default?


> It's not configurable but, if you're not adverse to dropping a couple
> hundred bucks, check out http://www.vamsoft.com.

> Put ORF in front of the Exchange stuff (in terms of agent priority,
> not necessarily on another server) and you can set up your own set of
> criteria for HELO\EHLO, DNSBL, etc. As an added benefit you also get
> SURBL scanning and a pretty decent set of reports.
> -> Rich Matheisen
>
 
R

Rich Matheisen [MVP]

On Sat, 15 Aug 2009 13:30:38 +0200, "Alexander Zammit [MVP]"

<alex@respond_to_group> wrote:


> Of course Exchange also provides RBL support @ connection filtering
> out-of-the-box


Neither of which pwemi you to accept or deny email based on the data

portion of the HELO or EHLO commands.

-
Rich Matheisen

 
E

Ed Crowley [MVP]

pwemi?

Ed Crowley MVP

"There are seldom good technological solutions to behavioral problems."

> .

"Rich Matheisen [MVP]" <richnews@rmcons.com.NOSPAM.COM> wrote in message

news:umud851ndsf6e5j8t3rnd3oicqq54obaio@4ax.com...
> On Sat, 15 Aug 2009 13:30:38 +0200, "Alexander Zammit [MVP]"
> <alex@respond_to_group> wrote:
>
> >Of course Exchange also provides RBL support @ connection filtering
> >out-of-the-box


> Neither of which pwemi you to accept or deny email based on the data
> portion of the HELO or EHLO commands.
> -> Rich Matheisen
>
 
R

Rich Matheisen [MVP]

On Sat, 15 Aug 2009 13:39:12 -0700, "Ed Crowley [MVP]"

<curspice@nospam.net> wrote:


> pwemi?


I have no idea what that is! Looks like a short-circuit between my

brain and fingers, doesn't it? "Allows" is what I /think/ I meant to

type, or maybe "permits".

-
Rich Matheisen

 

Top