XFOR: Verification of FROM Address in SMTP Messages

• Microsoft Exchange Server versions 4.0, 5.0, and 5.5

IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information on how to do this, view the "Restoring the Registry" online Help topic in Regedit.exe or the "Restoring a Registry Key" online Help topic in Regedt32.exe.

SYMPTOMS

Messages have an address in the FROM line that is not authentic.

CAUSE

The Internet is not a secure network. RFC 822, which defines the Simple Mail Transport Protocol (SMTP), does not include verification of the authenticity of the FROM address in a mail message. This means that unscrupulous Internet users can create messages and impersonate or "spoof" the FROM address.

This is done by using Telnet to connect to the mail host on port 25 and typing RC-821 SMTP commands to simulate the arrival of a new message. When these messages are received by the Microsoft Exchange Server Internet Mail Service (or Internet Mail Connector, in version 4.0), the address is compared to the Microsoft Exchange Directory. If the address matches a directory entry, it is replaced in the message header. This means that the spoofed messages look identical to internally sent Exchange Server messages.

WORKAROUND

To work around this problem:

• On the File menu, click Properties. If a Headers tab is present, the message was not sent by another Microsoft Exchange Server user in your organization.

STATUS

Microsoft has confirmed this to be a problem in Microsoft Exchange Server versions 4.0 , 5.0 and 5.5. This problem was corrected in the latest Microsoft Exchange Service Packs. For information on obtaining the Service Packs, query on the following word in the Microsoft Knowledge Base (without the spaces):

   S E R V P A C K

MORE INFORMATION

To enable either version of Microsoft Exchange Server to check the From line, the Exchange Server administrator will need to follow these steps:

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall Windows. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys And Values" online Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" online Help topics in Regedt32.exe. Note that you should back up the registry before you edit it.

1. On the Microsoft Exchange Server computer, start Regedt32.exe.

2. Add two values to the IMC registry key under:

         HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/
                            MSExchangeIMC/Parameters
   
   

3. On the Edit/Add value menu, add the following:

         Value Name: TurfDir
         Data Type: REG_SZ
   

         C:\EXCHSRVR\IMCDATA\TURFDIR
   

   This is the directory where matched messages will be stored.

4. On the Edit menu, use Add value to add the following:

         Value Name: TurfTable
         Data Type: REG_MULTI_SZ
   

         user1@site.domain
         user2@site.domain
   

   The Turf Table contains a list of e-mail addresses used to verify the from address on incoming Internet mail. They should be entered one per line with no extra spaces or delimiters. They are case insensitive. If a match is found, the message will be saved to the directory specified in the TURFDIR value. In Exchange 5.5 you can add the domain values instead of adding single user names. For example, @site.domain.

5. Restart the Internet Mail Connector or Internet Mail Service.