On 2024-08-30 at 13:35:02 UTC-0400 (Fri, 30 Aug 2024 13:35:02 -0400)
Alex <[email protected]>
is rumored to have said:
Hi,
I'm hoping someone can help me understand how what appears to be an
invoice
scam was passed through legitimate MS servers and
even USER_IN_DKIM_WHITELIST.
USER_IN_DKIM_WHITELIST refers to an explicit (i.e site or user-specific)
welcomelist, so this you did to yourself...
From: Microsoft <[email protected]>
There you go. *You* welcomelisted microsoft.com.
And Microsoft signed and sealed that mail. They believe it is entirely
legit. They are not actually a reliably trustworthy entity on that
topic, in fact I'd say they are quite prominently lousy at it.
Date: Fri, 30 Aug 2024 15:50:53 +0000
Subject: Your Microsoft order on August 30, 2024
Message-ID:
<[email protected]>
To: [email protected]
It also hit a few of my local test rules, including one that hits when
MS
mail is sent to us with a different To domain, but it received a
negative
score because of being on the default DKIM whitelist.
It is NOT on the default list. That would be a hit on the
USER_IN_DEF_*LIST rules. The only MS domain in the default list is
accountprotection.microsoft.com. The rest is garbage...
https://pastebin.com/fmjK9AfK
Microsoft signed it. You have a rule that says you trust Microsoft to
sign only their own non-spam mail.
Everyone makes trust errors... It's a recurring trope of many lives and
of history.
--
Bill Cole
[email protected] or [email protected]
(AKA @[email protected] and many *@billmail.scconsult.com
addresses)
Not Currently Available For Hire
