Mark Minasi's Windows Networking Tech Page
Issue #52 November 2005

To subscribe, visit http://www.minasi.com/nwsreg.htm. To unsubscribe, link to http://www.minasi.com/unsubs.htm. To change e-mail address, switch between HTML or text format, etc., link to http://www.minasi.com/edit-newsletter-record.htm.  Visit the Archives at http://www.minasi.com/archive.htm.  Please do NOT reply to this mail; for comments, please link to www.minasi.com/gethelp.  Document copyright 2005 Mark Minasi.

What's Inside

  • News
    • LAST CHANCE... Active Directory and Security Classes in DC Next Monday, Wednesday
  • Tech Section
    • A More Modern Take on NET TIME... W32TM
    • Questions and Answers On SPF
  • Conferences
  • Bring a Seminar to Your Site

News

This month, I've got an update on the Windows Time Service and the responses to questions that many of you had about SPF.  This issue's a bit short and sweet, but I think you'll find a tip or two in here, including a very simplified suggestion on building your own SPF records.  But first, a word from our sponsor...

LAST CHANCE... Active Directory and Security Classes in DC Next Monday, Wednesday

I'm trying to stay off the road so I can start working on Server R2 and Vista books, but a fair number of folks have kindly asked for another seminar... so here goes.  The only public seminars I will do for the rest of the year (and probably a good bit of the next) will be in Washington, DC at the Marriott near George Washington University next Monday through Thursday.  I'll be running the Active Directory class and the Security class.  You can find the Security class (which is now twice the size and three times as many PowerPoint slides, all packed into two enlightening days) outline is at www.minasi.com/secoutln.htm, the Active Directory class outline is at www.minasi.com/2003outln.htm, and you can find the seminar registration page at www.minasi.com/pubsems.htm.

Tech Section

Amplifying our last newsletter on Windows Time Service, and more on SPF...

A More Modern Take On NET TIME... W32TM

Last newsletter I mentioned that Server 2003 behaved differently from 2000 and XP when it came to NET TIME, noting that you need to restart the W32TIME service after doing a NET TIME /SETSNTP command.  Reader Matt Lichstein e-mailed me to spank me for not knowing that NET TIME has been "deprecated," computer-talk for "this command's still around now, but don't expect it in the future!"  (ANd Matt's got a Microsoft e-mail address, so I'm guessing he knows what he's talking about.)  The w32tm command, which I covered in the 2003 book as the command-line tool to force a reset of the Windows Time Service, can also replace NET TIME, Matt tells me.  So I looked into it and, sure enough, he's right.

The particular w32tm option that we're looking for is the "/configure" parameter.  It sets two things.  First, it tells W32Time whether or not to look for a time server within an Active Directory hierarchy.  You may recall that if your system is a member of an Active Directory, then you don't tell it where to get its time from; instead, it gets it from some other AD member in a hierarchy with just one machine at the top -- the PDC emulator FSMO for the root domain.  (This is written up in the book so I'll spare you the long explanation, but in short it's the first DC that you ever install in the first domain in your forest.  At least until you decommission that DC; after that, it's whatever DC you transferred the PDC FSMO role over to when you decommissioned that first DC.)  For non-AD members or

This is controlled normally by a Registry entry in HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters called "Type," and it's either set to "NT5DS" if you're in an AD, or "NTP" if you're either not an AD member, or if you're the root domain's PDC emulator FSMO -- that first-DC-in-the-forest that I just referred to.  I explained all of this back in Newsletter #16, but monkeying around with the Registry's never fun, so w32tm makes it a bit easier.

To tell a system's W32Time service to get its time from the Active Directory, type

w32tm /configure /syncfromflags:domhier /update

This does two things.  First, it sets that Type value to "NT5DS."  Second, it restarts the W32Time service, or at least notifies it that things have changed.

But what about a system that's not a member of an AD?  In that case, change two things.  First, the /syncfromflags option's value changes from "domheir" to "manual."  That will change the Type value from "NT5DS" to "NTP."  Second, you'll need to tell it the name of the server to get time from.  You do that by adding the /manualpeerlist: option, which behaves the same way as the /setsntp: option works in NET TIME -- it lets you specify one time server, or a number of potential time servers in a list surrounded by quotes.  To tell your system that it's on its own for time and to start synchronizing from time.windows.com, you'd type

w32tm /configure /manualpeerlist:time.windows.com /syncfromflags:manual /update

Then, as before, tell your system to update its time with this command:

w32tm /resync

And if you're in search of a time server, just use any Internet search engine and search on "public time servers" or "public NTP servers."  As Matt notes, if you do a w32tm /? then you'll see a bunch of options.  My thanks to Matt!

More On SPF

A lot of you wrote to tell me that you liked the articles on defeating spam and about implementing SPF records on your DNS domain in Newsletter #51, which you can read here.  Some had some questions and needed a bit of clarification.  Here are the questions and answers.

Won't this cause me to block e-mail from legitimate senders who haven't implemented SPF records?

If I install an SPF filter on my SMTP server then that surely sounds nice, but the fact is that most domains don't yet have SPF records in their DNS domains.  Won't I end up bouncing a lot of good mail?

Answer:  no.  Remember, an SPF filter looks at a given domain's DNS zone, seeking an SPF record.  Based on that, the SPF filter scores the incoming mail as "pass," "fail," or (to simplify things) "I don't know."  It depends on what SPF filter software you're running, but in general it's simple (and typical) under SPF to say, "only reject incoming e-mails who have explicitly failed based on an SPF record."  In other words, if your SMTP server sees an incoming e-mail claiming to be from, say, whitehouse.gov, then your server will contact the whitehouse.gov DNS server and ask if it's got a TXT record with SPF information in it.  Those dodos at the White House IT staff haven't bothered to create an SPF record, so your SPF filter wouldn't find an SPF record, and would score the incoming e-mail as "I don't know" rather than "fail."  Assuming that you've told your SPF filter to only reject explicit "fail" messages, then the e-mail would be delivered.  So if you're waiting for W to say "howdy," then you needn't worry.

SPF will only work if everyone publishes SPF records.

Not at all.  Heck, if the only person in the world who published an SPF record were me and if the only person in the world who ran an SPF checker were me, then I'd still see a benefit:  no more spam addressed to me... from me!  For that matter, if Paypal publishes SPF records (as they do) then anyone running an SPF filter should never again have to see the "notice of account termination" phishing stuff.  I'd be nice if everyone took a moment and did an SPF record, but until then, it's still useful.  And every single domain that publishes a record makes SPF more and more valuable.

This is only effective for big companies who control their own DNS zones, and no good for us little guys.

Well, first, if you run your own SMTP server, then there's probably nothing keeping you from running your own DNS server.  Yes, you're supposed to run two DNS servers but you can either get an ISP to act as a secondary for a small fee, or just tell 'em that you've got two servers and, um, never get around to setting up the second one.<g>

Second, in my experience every ISP I've worked with who hosts a DNS zone will let you put just about anything that you want in it.  Some have Web pages that let you edit your DNS zone.  For others, you'll need to call their tech support people.  But if you've got a static IP address and someone else is hosting your DNS for you, then I cannot imagine why they wouldn't let you tell them to insert a TXT record.

Third, if we're talking a dynamic IP address, then most people who want to host their own servers end up going with some kind of dynamic DNS hosting service, in which case you run your own DNS server.

Either way, creating a simple TXT record with SPF information in it should not be a barrier to publishing SPF records.

SPF is ineffective as spammers will just register their domains and include SPF records.

It's certainly true that spammers could do that.  But remember, I said in the article that SPF's main virtue is in making it difficult to forge return addresses.  The anti-spam aspect of this comes in two parts.  First, it's no longer possible for you to get an e-mail, as I've said, from yourself, unless you really did send yourself an e-mail.  Second, it's harder for phishing schemes to go on, as I've already mentioned.

What happens if a spammer registers a domain and spams from it?  We soon learn of it, and blacklist that domain.  Sure, a spammer can just hop around, creating domains before a spam blast, but it's more work.  And as time goes on we'll have better authenticated and reputation-based systems.

I could just spoof an IP address of an SMTP server for a legitimate domain.

One reader said

...if I wanted to get around SPF, and I wanted to use a from domain which was verifiable via SPF, I would write a small piece of software which queried DNS for the permitted email sending IP for my chosen domain (bigcompany.com), then sent the spam email to the target recipient's incoming email server, with the IP headers constructed to appear as though my PC was just a router on the internet forwarding a packet originating from the IP of bigcompany.com. Spoofing source IP like this is trivially easy, and is the obvious way around SPF. You can be sure there will be software available for download by spammers to do this before SPF has even achieved significant partial coverage of the internet.

This is not bad reasoning, save for one small flaw -- the notion of IP spoofing.  Let's look at how IP spoofing works, and why it won't work here.

When my system sends an IP packet to another system, that IP packet contains a number of pieces of information.  Two of the most important of those pieces of information are the source and destination IPs -- who I am, and who I'm trying to talk to.  The source IP address is important, as it becomes the return address, the IP that the destination uses to reply to the source.

When you spoof an IP address, you craft an IP packet that lies about the source IP address.  This is useful for bad guys who want to do things like send bezillions of IP packets at a router with the intention of overloading that router and creating a denial of service attack.  They spoof a return IP address for several reasons, but the most obvious one is that they don't want to get caught.

In light of this then yes, it seems that anyone could build systems that can do criminal things and, though the magic of spoofing, remain undetected.  But that's not so.  Recall that in the Internet, there are two main kinds of protocols that live atop IP -- UDP and TCP.  UDP communications are like a message in a bottle; they're dropped on the Internet and you have no idea where they actually went or who actually got it, if anyone.  TCP, in contrast, is connection-oriented and doesn't work until you've established a conversation.  The would-be client says to the would-be server, "let's talk," and the would-be server must reply, "sure" before anything can happen.  But if the would-be client proffers an invalid source IP address -- a bogus "return address," then the server's "sure" never gets back to the client, and the connection is never established.  But -- and here's the important part -- SMTP can't work without TCP.  So while spoofing source IPs are trivially easy on non-Windows systems (there's protection against such spoofing built into XP SP2 and 2003 SP1), spoofing IPs and thereby creating an SMTP conversation isn't so easy.

I'm still confused.  Is there a really easy way to build an SPF record?

You betcha.  Use the "a" mechanism to name specific systems that are allowed to send e-mail for you.  Or the "ip4" mechanism.

For example, let's suppose that bigfirm.com has only two servers that it authorizes to send e-mail for them, mail.bigfirm.com and mailserver.someisp.com.  Anyone else claiming to be sending e-mail for bigfirm.com should be rejected.  Put this SPF record into the bigfirm.com DNS zone:

v=spf1 a:mail.bigfirm.com a:mailserver.someisp.com -all

This will always pass the MAIL FROM test.  To pass the EHLO/HELO test, just make sure that the PTR records for mail.bigfirm.com and mailserver.someisp.com return IP addresses that match the actual IP addresses of those two systems.

Alternatively, you can go with the easiest and most specific mechanism, ip4.  Just specify the IP addresses of the only systems that you want to send e-mail for your domain, and name those IP addresses.  In the above example,suppose that mail.bigfirm.com has an IP address of 101.88.77.2 and mailserver.someisp.com has an IP address of 100.100.1.3.  Put this SPF record into bigfirm.com's DNS zone instead of the previous one:

v=spf1 ip4:101.88.77.2  ip4:100.100.1.3 -all

That will pass both the MAIL FROM and EHLO/HELO tests without trouble.

You dope, SPF records are read left to right, not right to left!

Ummm, yeah, that's right, I goofed.  You see, I've been trying to learn Hebrew in my spare time, and I got confused...<g>  Thanks to those who caught this so I could fix it before many of you read this.

Can I do SPF with Microsoft's SMTP server?

The SMTP server built into IIS can't do SPF checking right out of the box, but if you visit http://www.gfi.com/mes/mesfreeware.htm then you'll find a free tool that lets you add DNS blacklisting, SPF checking, automatic disclaimers at the end of every outgoing message, and custom blacklisting.  I have not played with it, but I'm told it works very well.

Thanks again to everyone who commented, I'm very glad that I could make SPF a bit easier to understand. As always, please feel free to let me know what you think!

Conferences

Join me at ...

TechTarget's Web Class on SP2 and SP1.  As they say it...

"Windows School is in session with Mark Minasi Mark Minasi dissects Windows XP SP2 and Windows Server 2003 SP1 in five, 15-minute webcast cram sessions. You can even download a worksheet to follow along with the lesson you're hearing. Find out the good and bad about XP SP2 and Windows 2003 SP1 in Mark's inimitable style. Topics cover: Data execution protection, stack changes, de-anonymizing XP, IE and more."
http://searchwin2000.techtarget.com/general/0,295582,sid1_gci1084934,00.html?offer=minasi

Bring Mark to your site to teach

I'm keeping busy doing Active Directory and Security seminars and writing, but I've still got time to visit your firm.  In just two days, I'll make your current NT techies into 2000, XP, Active Directory and 2003 experts.  (And better yet they won't have to sit through any Redmondian propaganda.)  To join the large educational, pharmaceutical, agricultural, aerospace, utility, banking, government, telecommunication, law enforcement, publishing, transportation, and other organizations that I've assisted, either take a peek at the course outlines at www.minasi.com/presentations.htm, mail our assistant Jean Snead at Assistant@Minasi.com, or call her at (757) 426-1431 (only between noon-5 Eastern time, weekdays, please).

Until Next Month...

Have a quiet and safe month. 

Please share this newsletter; I'd like very much to expand this periodical into a useful source of NT/2000/2003/XP information.  Please forward it to any associates who might find it helpful, and accept my thanks.  We are now at over 40,000 subscribers and I hope to use this to get information to every single Mastering 2003, XP, NT and 2000 Server reader. Thanks for letting me visit with you, and take care.  Many, many thanks to the readers who have mailed me to offer suggestions, errata, and those kind reviews.  As always, I'm at http://www.minasi.com/gethelp and please join us at the Forum with technical questions at www.minasi.com/forum

To subscribe, visit http://www.minasi.com/nwsreg.htm. To change e-mail, format, etc., link to http://www.minasi.com/edit-newsletter-record.htm.  To unsubscribe, link to http://www.minasi.com/unsubs.htm. Visit the Archives at http://www.minasi.com/archive.htm. Please do NOT reply to this mail; for comments, please link to http://www.minasi.com/gethelp.

All contents copyright 2005 Mark Minasi. You are encouraged to quote this material, SO LONG as you include this entire document; thanks.