Microsoft O365 labels nanog potential fraud?
Carl Byington
carl at five-ten-sg.com
Wed Mar 29 21:28:30 UTC 2017
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Wed, 2017-03-29 at 09:24 -0700, Alan Hodgson wrote:
> So for DMARC+SPF to pass not only must the message come from a source
> authorized by the envelope sender domain, but that domain must be the
> same domain (or parent domain or subdomain) of the header From:
> address.
> For DMARC+DKIM to pass, the DKIM signature must pass and the DKIM
> signing domain must be the same domain (or parent domain or subdomain)
> of the header From: address.
> Again, DMARC requires only one or the other mechanism to pass. So
> messages forwarded intact should be OK if they have an aligned DKIM
> signature.
Brad Knowles wrote:
> ...and it's easy to set things up in a way that you wind up shooting
> yourself in the foot -- and possibly with a large thermonuclear
> device.
For an example of that (unless I am misunderstanding something), we
have:
--> Hello marketo-email.box.com [192.28.147.169], pleased to meet you
<-- MAIL FROM:<$MUNGED at marketo-email.box.com>
<-- RCPT TO: ...
dkim pass header.d=mktdns.com
rfc2822 from header = $MUNGED at email.box.com
dig _dmarc.email.box.com txt +short
"v=DMARC1; p=reject; ..."
dig email.box.com txt +short
"v=spf1 ip4:192.28.147.168 -all"
So given the dmarc reject policy, it needs to pass either spf (which
fails 192.28.147.168 != 192.28.147.169), or dkim (which fails since it
is not signed by anything related to email.box.com.
Am I missing something, or is that just broken?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iEYEAREKAAYFAljcJe4ACgkQL6j7milTFsFUMwCfT4Wgr0kUHjhVPvi0wER3Nfz+
osAAni5YH25tTCGk49jESd5NOKVk3Okd
=JL7y
-----END PGP SIGNATURE-----
More information about the NANOG
mailing list