On 2022-11-08 22:51, Brandon Long via mailop wrote:
Validating From headers is the whole thing behind DMARC. Yes, an MSP
should validate the From header for mail it originates, but there are
often
cases such as various kinds of relaying, where doing so is not
possible.
One can use DMARC or other heuristics to try and figure that out when
forwarding/relaying, but its definitely not a "this obviously shouldn't
happen" kind of thing.
Tehn spammer always use relay where it isnt validated so whats the
point.
The flip side is you can also implement DMARC and reject the spoofed
mail
from MS if they are indeed failing at it.
Well SPF fail for this message because no SPF exist but DKIM succeed
because microsoft signed with the envelope sender domain. DMARC check
seem confused locally. But if microsoft agree to DKIM-sign using
envelope-from (**signature including the FROM header**) shouldnt that
mean it is seeing the headers and can of course validate FROM header?
For me that show extra proof microsoft allowing free-form uncheked
spoofing
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=<redact>.onmicrosoft.com; s=selector1-<redact>-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=.....
On Tue, Nov 8, 2022 at 2:39 PM MRob via mailop <[email protected]>
wrote:
Hello,
Microsoft doesn't limit FROM header spoof? I saw message like:
Envelope from: example.user207@<redacted>.onmicrosoft.com
To: <address on my domain>
From: support@<fake domain made from *username* of recipient>
For example if [email protected] then [email protected]
Is too complicated for microsoft check the FROM header belong to the
senders account?
Is best always reject mail from <anything>.onmicrosoft.com?
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
