On 2022-11-08 23:55, Brandon Long wrote:
On Tue, Nov 8, 2022 at 3:45 PM MRob via mailop <[email protected]>
wrote:
On 2022-11-08 22:51, Brandon Long via mailop wrote:
> Validating From headers is the whole thing behind DMARC. Yes, an MSP
> should validate the From header for mail it originates, but there are
> often
> cases such as various kinds of relaying, where doing so is not
> possible.
> One can use DMARC or other heuristics to try and figure that out when
> forwarding/relaying, but its definitely not a "this obviously shouldn't
> happen" kind of thing.
Tehn spammer always use relay where it isnt validated so whats the
point.
> The flip side is you can also implement DMARC and reject the spoofed
> mail
> from MS if they are indeed failing at it.
Well SPF fail for this message because no SPF exist but DKIM succeed
because microsoft signed with the envelope sender domain. DMARC check
seem confused locally. But if microsoft agree to DKIM-sign using
envelope-from (**signature including the FROM header**) shouldnt that
mean it is seeing the headers and can of course validate FROM header?
For me that show extra proof microsoft allowing free-form uncheked
spoofing
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=<redact>.onmicrosoft.com; s=selector1-<redact>-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=.....
It's common for some mailing lists to not modify the From header and
DKIM
sign the mail they send
based on the mailing list domain, not the From domain. Doing this is
not
strictly wrong.
There are also other annoying cases, such as outlook invite accepts
which
spoof from addresses on
purpose, which obviously doesn't work well in these scenarios.
Enterprises also often have multiple domains, and not all of them may
be
configured on the O365 instance
which is running as the company's outbound relay.
Should they be catching the spam and not DKIM signing it? It would be
nice, yesl, but
that doesn't mean what they're doing would be wrong if the content
wasn't
spam.
Thank you pointing out corner cases but of course this was a typical
spam not any of your examples. Is your point say that because these
corner cases exist then they *never* inspect FROM header? Therefore my
conclusion correct: microsoft allow free-form FROM spoofing, even more
that microsoft will always DKIM sign forged FROM header.
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
