Microsoft O365 labels nanog potential fraud?

• Previous message (by thread): Microsoft O365 labels nanog potential fraud?
• Next message (by thread): Microsoft O365 labels nanog potential fraud?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wednesday 29 March 2017 14:28:30 Carl Byington wrote:
> For an example of that (unless I am misunderstanding something), we
> have:
> 
>  --> Hello marketo-email.box.com [192.28.147.169], pleased to meet you
>  <-- MAIL FROM:<$MUNGED at marketo-email.box.com>
>  <-- RCPT TO: ...
> 
> dkim pass header.d=mktdns.com
> rfc2822 from header = $MUNGED at email.box.com
> 
> 
> dig _dmarc.email.box.com txt +short
> "v=DMARC1; p=reject; ..."
> 
> dig email.box.com txt +short
> "v=spf1 ip4:192.28.147.168 -all"
> 
> So given the dmarc reject policy, it needs to pass either spf (which
> fails 192.28.147.168 != 192.28.147.169), or dkim (which fails since it
> is not signed by anything related to email.box.com.
> 
> Am I missing something, or is that just broken?

That appears to be broken. The -all on the SPF record alone breaks it, since 
receivers should refuse it at that point. But yeah the DMARC is also broken.

Interestingly, the mail I've seen recently from email.box.com has multiple 
signatures, one of which is from email.box.com. And it originated from 
192.28.147.168. Weird.

• Previous message (by thread): Microsoft O365 labels nanog potential fraud?
• Next message (by thread): Microsoft O365 labels nanog potential fraud?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]