Microsoft O365 labels nanog potential fraud?

• Previous message (by thread): Microsoft O365 labels nanog potential fraud?
• Next message (by thread): Microsoft O365 labels nanog potential fraud?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Usually mailing lists act like e-mail spoofers as far as SPF and DKIM is concerned. These two systems above try to minimize spoofed e-mail by doing the following:

SPF: Each domain adds a list of IP Addresses that are allowed to send e-mail on their behalf. 

DKIM: Each email sent by an "original" mail server is cryptographically signed with a key available, again, in the DNS.

When you send an e-mail to a list, you send it to the mailing list mail server. After that, of the server forwards that e-mail to the recipients, its original address is shown, therefore if Outlook checks for SPF records, that check will fail. An easy way to get around this is for the list to change the From field to something else, like "Mel Beckman via NANOG" and a local email address.

However, when you send that email, it may also be signed with DKIM: any change in subject (say "[NANOG]" is added) or the body (say "You received this email because you subscribed to NANOG" is appended) will also cause that check to fail. 

Typically the behavior of the recipient if one or both of these checks failed is described in yet another DNS record, called a DMARC Policy. Some set this to very strict levels (reject e-mail / send to spam), some others to warn the user (like what you saw?), and some others, knowing this happens, to ignore/notify.

This message probably appears because of the above SPF / DKIM / DMARC combo but I can't be 100% sure from the provided info.

In any case, this is likely not your fault. If you want to be sure, verify the contents of the e-mail against the public NANOG archive which is available over HTTPS. My guess is that nothing has been changed. 

Thanks,
Antonios 

> On 29 Mar 2017, at 03:22, Mel Beckman <mel at beckman.org> wrote:
> 
> Is anyone else getting this message on every nanog post today?
> 
> "This sender failed our fraud detection checks and may not be who they appear to be. Learn about spoofing at http://aka.ms/LearnAboutSpoofing<http://aka.ms/LearnAboutSpoofing]>"
> 
> I don't know if this link itself is malware, as it goes to the MS store, or if something is broken in the Nanog Mail machine.
> 
> If it's just me, never mind. I'll figure it out.
> 
> -mel beckman

• Previous message (by thread): Microsoft O365 labels nanog potential fraud?
• Next message (by thread): Microsoft O365 labels nanog potential fraud?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]