Header Firewall: Why spammers can’t insert fake SCL (and other Exchange Organization) X headers

by Bharat Suneja

After almost a year and a half of working with Exchange Server 2007, I still stumble into features I haven’t tested before. When it happens, it blows holes into my theories about how well I know E12. :)

It started when investigating why a certain message – likely not from an authenticated source, would have a SCL of -1 (seen in message headers as X-MS-Exchange-Organization-SCL: -1).

One suggestion that got me thinking: it may have been a fake header, perhaps inserted by a spammer. I tested this a few times in different combinations (by inserting SCL and PCL headers before, after and in between other X-headers, like the ones below:

Note: Exchange uses the PCL and SCL headers seen above, but the QCL header in the above screenshot is fabricated/fake.

When the above messages came in, all the headers with X-MS-Exchange-Organization* were removed by Exchange. Nice work, Microsoft, I said to myself, and asked for an explanation.

Someone from the team immediately pointed me to Header Firewall – a supercool feature (not so much in what it does but the fact that it exists). It removes protected Exchange Organization and Forest headers from messages that enter or exit the Exchange Organization. This is the reason you’re not likely to see fake SCL, PCL, SenderID, and other such headers in messages received by Exchange Server 2007 Edge or Hub Transport servers.

Preserving Organization and Forest X headers: If you want these to be preserved for inbound mail from particular sources, it is recommended to do so using a separate Receive Connector, just as you would create one if you needed to allow unauthenticated relaying [read previous post “Exchange Server 2007: How To Allow Relaying“], and assign MS-Exch-Accept-Headers-Organization and MS-Exch-Accept-Headers-Forest permissions. Similarly, to send Organization and Forest headers to particular external mail systems, it is recommended to create a separate Send Connector for those address spaces, and assign the MS-Exch-Send-Headers-Organization and MS-Exch-Send-Headers-Forest permissions.

Getting back to the original question – when do you see a SCL of -1? Either when the sender is authenticated, or the sending host is on the IP Allow List.

Read more about the Header Firewall feature in the Exchange Server 2007 documentation. A list of Exchange Organization and Forest x-headers can also be found there.

{ 2 comments… read them below or add one }

hakan uzuner May 2, 2008 at 3:09 pm

thank you for information


Pavan Kumar September 21, 2009 at 4:51 am

This information was really helpful:). Thank you very much.


Leave a Comment

Previous post:

Next post: