A Late New Year’s Resolution: Do Not Resolve Anonymous Senders

by Bharat Suneja on January 19, 2007

It’s probably a little late to make another New Year’s resolution, but I’ll try to convince you to make one nevertheless.

By default, when an internal/authenticated user sends you a message, you see the user’s display name (for example Joe Adams) in Outlook/OWA and other email clients. Messages from unauthenticated senders, including those from Internet senders, show up with their SMTP address – e.g. jadams@somedomain.com. Exchange/Outlook users have been used to seeing this.

You can change SMTP settings to resolve anonymous senders. On Exchange Server 2003:

  1. Use the Exchange System Manager to navigate to the Exchange server > SMTP Virtual Server > Properties
  2. On the Access tab, click Authentication
  3. On the Authentication page, select Resolve anonymous e-mail (although a more appropriate UI string would be “Resolve anonymous senders“)


Figure 1: Resolving anonymous senders in Exchange 2003

On Exchange 2000, you’ll need to create the ResolveP2 registry value:

  • Path: HKLM/SYSTEM/CurrentControlSet/Services/MsExchangeTransport/
    Parameters/<number of SMTP virtual server>
  • Name: ResolveP2
  • Type: DWORD
  • Value: 2

    You can use any of the following values:
    FROM: 2
    TO and CC: 16
    REPLYTO: 32
    To resolve more than one type of P2 header, add up the corresponding values. For example, to resolve the FROM, TO and CC headers, use 18.

    Note: You may need to create the registry key for the SMTP virtual server (a numeric value) and the Parameters key if it doesn’t exist. See KBA 288635 – ResolveP2 Functionality in Exchange 2000 Server for more details.

The risk with resolving anonymous senders

SMTP virtual server | Access | Authentication dialog boxHowever, not only is resolving anonymous senders a bad idea, it’s also a security risk. SMTP, the protocol, allows senders to easily spoof headers. For example, this allows anonymous senders to send mail to your users using your CEO’s email address and the message will actually appear as if it was sent by an internal/authenticated sender. If a spam message or a message with malicious code or link gets by your anti-spam & anti-virus scanners, having the sender’s address resolved to a valid internal sender buys it instant credibility.

Microsoft Outlook and message headers

This is one of the reasons I’ve always wanted Microsoft Outlook to provide an option to show SMTP headers at first look – without the time-wasting, mouse-clicking exercise of selecting a message, right-clicking, selecting Message Options, and viewing what is usually a long message header in a small scrollable text box.

It would be great to provide users the option to turn on a “mini” header that shows the actual originating host, and for advanced users – including sysadmins / Exchange administrators who look at headers all day, an option to turn on “full” headers.

Sadly, this doesn’t exist, even in Outlook 2007. (You could use a little macro that KC Lemson posted on her blog a little while ago, which displays a button on the Outlook toolbar that shows you the headers with a single click and saves them in a text file.)

[Update 7/5/2011: Looking for the Message Options option to check message headers in Outlook 2010? See Hey Outlook 2010, where are my message headers? on the Exchange team blog.]

What’s worse – and I just discovered this, thanks to a newsgroup poster and Exchange MVP Andy David’s response – when you check the option to resolve anonymous senders, unauthenticanted senders can now send mail to recipients that have been set to receive email from authenticated users only! That’s a big surprise, and totally unexpected – Exchange actually treats anonymous senders as authenticated senders, at least for the purpose of message delivery to such restricted recipients.

Further, not only can someone using a valid internal recipient’s email address send mail to such recipients, but even total strangers (addresses that do not resolve to a valid internal recipient, like foo@somedomain.com) can.

I tested this a few times yesterday, and I’m still in disbelief!

Microsoft documentation on resolving anoymous senders

Having read KBA 828870: Resolve Anonymous Senders Functionality in Microsoft Exchange 2003 a few times, I don’t find any mention of this, though the article clearly recommends that this should not be enabled on any server that receives mail from the internet, and if it is – message from anonymous senders appear as authenticated mail.

KBA 827616: How to restrict the users who can send inbound Internet e-mail to another user or to a distribution group in Exchange 2003 does mention this:

Note If you enable the Resolve anonymous e-mail setting on your front-end SMTP servers, anonymous senders can bypass the From authenticated users only setting.

Make the resolution

There may be scenarios where resolving anonymous senders is justified, for instance on internal SMTP virtual servers, where access is controlled or restricted to certain hosts. If you’re in a cross-Forest deployment, you should attempt to authenticate the SMTP communication, as stated in KBA 828870 above.

As I suggested in the beginning of this post, if it’s not already too late to make another New Year’s resolution, make one today:

I resolve to not resolve anonymous senders on SMTP virtual servers that receive Internet mail.

{ 4 comments… read them below or add one }

1 Jinesh March 24, 2009 at 2:00 am

Great post – does this apply to Exchange 2007?

Reply

2 Jinesh April 28, 2009 at 10:24 pm

Guess I will answer my own question:

SMTP Virtual Server – Resolve anonymous e-mail is replaced with Receive Connector – externally secured with Exchange Servers permission group configured within Exchange 2007.
Receive connector authentication mechanism – ExternalAuthoritative: The ExternalAuthoritative authentication method requires the ExchangeServers permission group. This combination of authentication method and security group permits the resolution of anonymous sender e-mail addresses for messages that are received through this connector. This replaces the Resolve anonymous senders function in Exchange Server 2003.

Reply

3 Bharat Suneja April 28, 2009 at 10:34 pm

@Jinesh: That’s right, although be careful with ExternalAuthoritative, and make sure you lock it down with RemoteIPRanges. ExternalAuthoritative provides all permissions to the sending host.

Reply

4 Victor Ivanidze January 17, 2011 at 7:03 am

Jinesh, it seems your solution opens huge security hole.
There exists commercial product that don’t reuire to change Receive connector settings: http://www.ivasoft.biz/resolvac.shtml

Best regards,
Victor Ivanidze

Reply

Leave a Comment

{ 2 trackbacks }

Previous post:

Next post: