This Issue Sponsored By

C2C: Enforce policy, manage content and PSTs

Security Administrator


- The Sender Policy Framework and Caller ID for Email

- Featured Thread: Running DomainPrep on a Subdomain
- Outlook Tip: Adding and Removing the Folder Size Button

New and Improved
- Centralize Your Company's IM Security


~~~~ Sponsor: C2C: Enforce policy, manage content and PSTs ~~~~
Active Folders Content Manager is essential for every Exchange administrator's toolbox!
* Acts on PSTs (local and central), mailboxes and public folders.
* SEARCHES content of emails and attachments for policy enforcement.
* CLEANS viruses from Exchange on the fly for a layered defense.
* LOCATES and REMOVES non-business related attachments.
* FREES-UP redundant storage space.
* DISCOVERS email by multiple criteria.
Running automated, granular rules-based processes can save essential time and resources and keep your organization's email legal. Content Manager acts on all local and central PST files as well as mailboxes and public folders.
Read the datasheet or take a free 30 day trial now!


==== Commentary: The Sender Policy Framework and Caller ID for Email ==== by Paul Robichaux, News Editor,

SMTP was never designed to be a secure protocol. Back in the early days of the ARPAnet (predecessor to the Internet), designers assumed that all hosts that connected to the network would be trusted and trustable; they didn't foresee the explosion in Internet connectivity driven by cheap, high-bandwidth connections and powerful sub-$500 PCs. Because of SMTP's design, there's no guaranteed way to prevent senders from forging headers or impersonating other computers. Two of the many solutions that have been proposed to this problem include the Sender Policy Framework (SPF) and Microsoft's proposed Caller ID for Email specification. (The SPF standard is described fully at ; Microsoft maintains a complete specification for Caller ID--as well as an explanation of how to create your own Caller ID records--at .) These two protocols are similar in some ways but are designed to solve different problems.
SPF addresses the fact that SMTP senders can easily lie about who they are. For example, I can send out spam with a return address of, and any bounces or nondelivery reports (NDRs) that my spam generates will go to Scott's mailbox. (When a spammer specifies an innocent bystander's return address specifically with the intent of flooding the victim, it's known as a "joe-job," but more often spammers simply pick a valid return address at random.) To use SPF, you publish a DNS text (TXT) record that contains information about the Internet hosts that are permitted to send email on behalf of your domains. For example, suppose I publish an SPF record for Receiving SMTP servers can look up that record and use it to make decisions about incoming messages that claim to be from my domain. SPF lets the receiving Message Transfer Agent (MTA) make a four-way determination according to the following criteria:

- If no SPF record is available or the available record is bogus or malformed, the receiving server must rely on other methods to determine the message's validity.

- If the SPF record indicates that the domain is still in the process of moving to SPF use and the record doesn't include the sender's IP address, the message is probably legitimate.

- If the SPF record indicates that the domain has been completely transitioned to full SPF use but the record doesn't include the sender's IP address, the message is from a spammer.

- If the SPF record indicates that the sender's IP address is legitimate for the domain, the message is legitimate.

The ability to make these determinations is useful but has some limitations--primarily that SPF examines the sender's IP address only and so can't make decisions based on any other headers. SPF's other major limitation is that it uses a relatively constrained format that isn't easily extensible. Microsoft's Caller ID specification addresses both of these problems.
Like SPF, Caller ID requires administrators to create DNS TXT records, but each Caller ID record includes an XML-formatted description of the domain's email policy. Caller ID filters can make decisions according to a header's entire contents. This capability provides superior flexibility, at the cost of requiring the receiving server to accept the message before making a decision about whether to keep it.
The specification's use of XML has engendered a lot of debate among antispam activists because Caller ID records are more verbose than their SPF equivalents. Microsoft cites the broad availability of XML tools and parsers, and the ease of extending the Caller ID XML namespace to add new behaviors, as reasons behind using XML. The real utility of this approach comes when you consider the possible extensions to the Caller ID specification. Imagine the ability to succinctly define a policy that specifies that you'll accept email from certain addresses only when the messages are digitally signed or that you'll accept email from a specific domain only after the sender preregisters with your server. All sorts of interesting applications are possible.
Which standard will win in the marketplace? It's hard to tell. SPF has an early lead; almost 8000 domains, including AOL (which says its use of SPF is currently "experimental"), are using SPF. But Microsoft Hotmail will soon begin using Caller ID, so the total number of messages protected by that specification is likely to shoot upward in the not-too-distant future. There's another important point to consider, one that I first saw Larry Seltzer make in eWeek: "\[Microsoft's\] not selling SMTP authentication, \[it's\] selling products and services that are made better by SMTP authentication, and it behooves \[Microsoft\] to use the best method available." I think ultimately that SPF, Caller ID, and Yahoo!'s DomainKeys system will coalesce into one, or possibly two, standards that will then reach critical mass.
Caller ID and SPF deployment are both easy, and I'm curious about whether you're considering adopting either or both. Drop me a line and let me know what you plan to do.


~~~~ Sponsor: Security Administrator ~~~~
Try a Sample Issue of Security Administrator!
Security Administrator is the monthly newsletter from Windows & .NET Magazine that shows you how to protect your network from external intruders and control access for internal users. Sign up now to get a 1-month trial issue--you'll feel more secure just knowing you did. Click here!


==== Announcements ==== (from Windows & .NET Magazine and its partners)

Windows & .NET Magazine Connections
Windows & .NET Magazine Connections features speakers from Microsoft and other top independent experts. Complete details about workshops, breakout sessions, and speakers are now online. All attendees will get a chance to win a Florida vacation. Keep your competitive edge by learning from the world's best experts. Go online now to register.

Register today for Microsoft Tech·Ed 2004
Don't miss Tech·Ed 2004 -- May 23-28, 2004 in San Diego, CA -- the definitive Microsoft conference for building, deploying, securing and managing connected solutions. You'll find 11 conference tracks and over 400 sessions. Get answers to your technical questions, meet industry experts, evaluate new products, and take advantage of extensive networking opportunities. Register today.


~~~~ Hot Release: Web-Based Directory Management Solution, WebDir ~~~~

NEW Release! Workflow approvals & linked fields are two of 13 new features just released. Find out how to reduce support calls with WebDir & allow users to search & update their own directory information, change passwords & create & manage the groups they own via any browser. Evaluate WebDir & enter to win Tivo!


==== Resources ====

Featured Thread: Running DomainPrep on a Subdomain
A forum reader is having trouble running DomainPrep on an Exchange Server 2003 subdomain. To offer your advice or join the discussion, go to the following URL:

Outlook Tip: Adding and Removing the Folder Size Button by Sue Mosher,

Q: Can I add or remove Outlook 2002's Folder Size button?

A: By default, Outlook places a Folder Size button on the General tab of the Properties dialog box for every folder within your mailbox. You can disable or reenable this button by editing the HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook registry subkey. Add a DWORD entry named ChkFldrSize. Set this entry's value to 0 to disable the Folder Size button or to 1 to enable it. For more information about this registry edit, see the Microsoft article "OL2002: How to Remove or Replace Folder Size Button in Folder Properties" ( ).
See the Windows & .NET Magazine Exchange & Outlook Web page for more great tips.

==== Events Central ==== (A complete Web and live events directory brought to you by Windows & .NET Magazine: )

New--Microsoft Security Strategies Roadshow!
We've teamed with Microsoft, Avanade, and Network Associates to bring you a full day of training to help you get your organization secure and keep it secure. You'll learn how to implement a patch-management strategy; lock down servers, workstations, and network infrastructure; and implement security policy management. Register now for this free, 20-city tour.

==== New and Improved ==== by Carolyn Mader,

Centralize Your Company's IM Security
Sybari Software announced Antigen 7.5 for Instant Messaging (IM), software that provides virus-scanning, document-filtering, and message-content scanning for Microsoft Office Live Communications Server 2003. You can use the software to centralize IM security on the network and apply content- and file-filtering policies throughout your company. The Antigen Central Manager (ACM) feature lets you roll out, administer, update, and receive Antigen reports on your Exchange Server systems. For pricing, contact Sybari Software at 631-630-8500 or

Tell Us About a Hot Product and Get a T-Shirt!
Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to

==== Contact Us ====

About the newsletter --
About technical questions --
About product news --
About your subscription --
About sponsoring UPDATE --


==== Contact Our Sponsors ====

Primary Sponsor:
C2C -- -- 1-413-739-8575

Hot Release:
Imanami -- -- 1-800-263-0036


This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today.

View the Windows & .NET Magazine Privacy policy at: Windows & .NET Magazine a division of Penton Media Inc.
221 East 29th Street, Loveland, CO 80538, Attention: Customer Service Department Copyright 2004, Penton Media, Inc. All Rights Reserved.