Microsoft O365 labels nanog potential fraud?
Mark Andrews
marka at isc.org
Thu Mar 30 04:21:30 UTC 2017
In message <2066629.BbQ8KXnJic at skynet.simkin.ca>, Alan Hodgson writes:
> On Wednesday 29 March 2017 14:28:30 Carl Byington wrote:
> > For an example of that (unless I am misunderstanding something), we
> > have:
> >
> > --> Hello marketo-email.box.com [192.28.147.169], pleased to meet you
> > <-- MAIL FROM:<$MUNGED at marketo-email.box.com>
> > <-- RCPT TO: ...
> >
> > dkim pass header.d=mktdns.com
> > rfc2822 from header = $MUNGED at email.box.com
> >
> >
> > dig _dmarc.email.box.com txt +short
> > "v=DMARC1; p=reject; ..."
> >
> > dig email.box.com txt +short
> > "v=spf1 ip4:192.28.147.168 -all"
Well you should be checking the correct TXT record for SPF.
dig marketo-email.box.com txt +short
"v=spf1 ip4:192.28.147.168 ip4:192.28.147.169 -all"
> > So given the dmarc reject policy, it needs to pass either spf (which
> > fails 192.28.147.168 != 192.28.147.169), or dkim (which fails since it
> > is not signed by anything related to email.box.com.
> >
> > Am I missing something, or is that just broken?
>
> That appears to be broken. The -all on the SPF record alone breaks it, since
> receivers should refuse it at that point. But yeah the DMARC is also broken.
>
> Interestingly, the mail I've seen recently from email.box.com has multiple
> signatures, one of which is from email.box.com. And it originated from
> 192.28.147.168. Weird.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the NANOG
mailing list