Re: [mailop] Office 365 - Emails marked as not passing fraud detection

[Shane Clay via mailop]

Bill - the email wasn't aimed at asking Microsoft for support on a public 
mailing list. It wasn't a technical support request at all. It was from a 
network person, separate the end user, looking into an issue which he is 
unforunately lumped with, who decided to ask a community of people who 
specialise in e-mail if they possibly see something that he didn't amongst a 
set of email headers. Surely that is an appropriate discussion to have amongst 
professionals.

Anyway

To the couple of people who did reply off-list, thanks. I think I'm now armed 
with some useful information to send back to the client on what they should be 
doing to resolve it.

Shane



-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Bill Cole
Sent: Friday, 24 November 2017 2:44 PM
To: Shane Clay via mailop <mailop@mailop.org>
Subject: Re: [mailop] Office 365 - Emails marked as not passing fraud detection

On 23 Nov 2017, at 22:31 (-0500), Shane Clay via mailop wrote:

> Any ideas?

Maybe an organization that is clearly paying Microsoft for email services 
should consider the possible utility of going directly to Microsoft for 
support???

I'm 100% serious about that. It's been a few months since I was an admin for an 
O365 account, but in that time I strongly doubt that MS has become more opaque 
and unhelpful to their direct customers than they are to random non-customers 
on a public-ish mailing list. Michael Wise (of
MS) is frequently quite helpful here but only to a point that can often be 
vague because he needs to be vague. OTOH, using the available tools and support 
system inside O365 to make special exceptions for messages that look possibly 
fake (like ones too and from the same address) worked for me in seconds to days 
every time in the 4 years that I had to fix a FP problem there.

TL;DR: Those paying for a service should seek and receive support for that 
service from their paid service provider and in my direct experience, O365 
customers get that.

(You can't imagine how painful it is for me to praise MS.)

--
Bill Cole
b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many 
*@billmail.scconsult.com addresses) Currently Seeking Steady Work: 
https://linkedin.com/in/billcole

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Office 365 - Emails marked as not passing fraud detection

[Shane Clay via mailop]

I'd considered that.

This server has been around a long time (and the rdns hasn't changed) and the 
problem has only just come up. If it is the rdns, it's a new problem.

Do the HELO and RDNS have to match to pass spam detection? I would have thought 
that a valid, matching SPF record and the fact that the IP actually has a PTR 
etc would be sufficient.

Shane

From: Postmaster [mailto:i...@mailvue.com]
Sent: Friday, 24 November 2017 2:23 PM
To: Shane Clay <sh...@caznet.com.au>
Subject: Re: [mailop] Office 365 - Emails marked as not passing fraud detection

Could it be the rdns?
PTR:ip-103-219-120-34.stcolumba.customer-wan.caznet.com.au<http://stcolumba.customer-wan.caznet.com.au>;



On Nov 23, 2017, at 8:31 PM, Shane Clay via mailop 
<mailop@mailop.org<mailto:mailop@mailop.org>> wrote:

PTR:ip-103-219-120-34.stcolumba.customer-wan.caznet.com.au<http://stcolumba.customer-wan.caznet.com.au/>;

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Office 365 - Emails marked as not passing fraud detection

[Shane Clay via mailop]

Hi All

I can't figure this one out so looking for some help from people in the know. 
One of our clients has a postfix mail relay server used for relaying emails 
from photocopiers/internal software systems out to the world.

Below I've pasted the headers of one. Office 365 / Outlook chucks them in the 
junk mail folder with a message "This sender failed our fraud detection checks 
and may not be who they appear to be."

>From what I can see, the email is matches SPF and is passing SPF/DMARC checks. 
>I can't understand what it is seeing as wrong.

Any ideas?

Shane





Received: from SYXPR01MB1151.ausprd01.prod.outlook.com (10.171.35.141) by
SY3PR01MB1145.ausprd01.prod.outlook.com (10.171.0.11) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
15.20.239.5 via Mailbox Transport; Fri, 24 Nov 2017 03:23:28 +
Received: from ME1PR01CA0132.ausprd01.prod.outlook.com (10.171.9.145) by
SYXPR01MB1151.ausprd01.prod.outlook.com (10.171.35.141) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
15.20.260.4; Fri, 24 Nov 2017 03:23:27 +
Received: from ME1AUS01FT014.eop-AUS01.prod.protection.outlook.com
(2a01:111:f400:7eb4::204) by ME1PR01CA0132.outlook.office365.com
(2603:10c6:200:1b::17) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.260.4 via Frontend
Transport; Fri, 24 Nov 2017 03:23:27 +
Received: from mail.stcolumba.sa.edu.au (103.219.120.34) by
ME1AUS01FT014.mail.protection.outlook.com (10.152.232.114) with Microsoft
SMTP Server id 15.20.178.5 via Frontend Transport; Fri, 24 Nov 2017 03:23:26
+
Received: from KM269386 (unknown [10.102.10.54])
by mail.stcolumba.sa.edu.au (Postfix) with ESMTP id 95A4BC0BAE24
for ; Fri, 24 Nov 2017 
13:53:14 +1030 (ACDT)
From: Simon Flaherty 
To: Simon Flaherty 
Subject:
Thread-Index: AQHTZNOYCcOVafuWzkOoKK7iRk6SuQ==
Date: Fri, 24 Nov 2017 03:32:02 +
Message-ID: <20171124140202000ab70f.simon.flahe...@stcolumba.sa.edu.au>
Content-Language: en-AU
X-MS-Exchange-Organization-AuthSource: 
ME1AUS01FT014.eop-AUS01.prod.protection.outlook.com
X-MS-Has-Attach: yes
X-MS-Exchange-Organization-Network-Message-Id: 
7b477dc8-ad88-4e86-092d-08d532eab9f3
X-MS-TNEF-Correlator:
received-spf: Pass (protection.outlook.com: domain of stcolumba.sa.edu.au
designates 103.219.120.34 as permitted sender)
receiver=protection.outlook.com; client-ip=103.219.120.34;
helo=mail.stcolumba.sa.edu.au;
x-ms-publictraffictype: Email
authentication-results: spf=pass (sender IP is 103.219.120.34)
smtp.mailfrom=stcolumba.sa.edu.au; stcolumba.sa.edu.au; dkim=none (message
not signed) header.d=none;stcolumba.sa.edu.au; dmarc=pass action=none
header.from=stcolumba.sa.edu.au;compauth=pass reason=100
x-microsoft-exchange-diagnostics: 
1;SYXPR01MB1151;7:DnxrWG6h0x38Y2EwYd7DEFPIAttOlbuTEZYmD/+ZbnoP0Fl74xE8fI/MVEs1qvQPqsa2Gvgs6tN2+Gc0i1fgde8YkGz0CLD+BAXOUzvG4VzNhuJXVPMKQMR9PyXZ4VKaCv+PjtDvevqdEb+5BmGQK1fDvhcktBv0nzYWNxT+LoIAP/4KQejWFVfF13wo9rRSzHjK6U9nqcx6+98hdB6lUv33MRcZFfaTxUDk56lukHjh6kFqcnM6vd2W6bCpINFnqR2QsI7KnIvm9am8YJ2X6g67gbITzvKHyyC2x/fRZ8s=
x-forefront-antispam-report: 
CIP:103.219.120.34;IPV:NLI;CTRY:;EFV:NLI;SFV:SPM;SFS:(6009001)(8046002)(298032)(438002)(189002)(199003)(2876002)(25636003)(305945005)(567704001)(620011)(84326002)(5406001)(2171002)(6266002)(589011)(81156014)(81166006)(74482002)(2351001)(86152003)(14003)(42882006)(6916009)(101346004)(2148043)(003)(566031)(5416004)(1076002)(63106013)(106002)(77096006)(50986999)(500011)(568964002)(106466001)(54356999)(564344004)(104016004)(356003)(37006003)(512874002)(2476003)(1096003)(287071)(88552002)(86362001)(462011)(189998001)(429038);DIR:INB;SFP:;SCL:5;SRVR:SYXPR01MB1151;H:mail.stcolumba.sa.edu.au;FPR:;SPF:Pass;PTR:ip-103-219-120-34.stcolumba.customer-wan.caznet.com.au;MX:1;A:1;CAT:SPM;LANG:en;SFTY:9.11;
x-ms-office365-filtering-correlation-id: 7b477dc8-ad88-4e86-092d-08d532eab9f3
x-microsoft-antispam: 
UriScan:;BCL:0;PCL:0;RULEID:(4534020)(49563074)(121220049038)(71702078);SRVR:SYXPR01MB1151;
x-ms-traffictypediagnostic: SYXPR01MB1151:
x-ms-exchange-transport-endtoendlatency: 00:00:02.2240358
x-ms-exchange-crosstenant-originalarrivaltime: 24 Nov 2017 03:23:26.0304 (UTC)
x-ms-exchange-crosstenant-fromentityheader: Internet
x-ms-exchange-crosstenant-id: fba15b65-df58-4536-b68c-9abdfb1b006d
x-ms-exchange-transport-crosstenantheadersstamped: SYXPR01MB1151
x-ms-exchange-crosstenant-network-message-id: 
7b477dc8-ad88-4e86-092d-08d532eab9f3
X-Microsoft-Exchange-Diagnostics: 
1;SY3PR01MB1145;27:70Llm1qlaswKeTTjCRyGryotp55ZC6CdTXHVoVvU2XJn8cdH4tsLWhaczNNmkLluWk/awzKlBGwt1ze1f8Qk9Eif/AFCoj/xzB6lqbGpxIsm/vwNGq1hUSf62wr4jsC4
Content-Type: multipart/mixed;