On Tue, Nov 8, 2022 at 3:45 PM MRob via mailop <mailop@mailop.org> wrote:
> On 2022-11-08 22:51, Brandon Long via mailop wrote: > > Validating From headers is the whole thing behind DMARC. Yes, an MSP > > should validate the From header for mail it originates, but there are > > often > > cases such as various kinds of relaying, where doing so is not > > possible. > > One can use DMARC or other heuristics to try and figure that out when > > forwarding/relaying, but its definitely not a "this obviously shouldn't > > happen" kind of thing. > > Tehn spammer always use relay where it isnt validated so whats the > point. > > > The flip side is you can also implement DMARC and reject the spoofed > > mail > > from MS if they are indeed failing at it. > > Well SPF fail for this message because no SPF exist but DKIM succeed > because microsoft signed with the envelope sender domain. DMARC check > seem confused locally. But if microsoft agree to DKIM-sign using > envelope-from (**signature including the FROM header**) shouldnt that > mean it is seeing the headers and can of course validate FROM header? > For me that show extra proof microsoft allowing free-form uncheked > spoofing > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; > d=<redact>.onmicrosoft.com; s=selector1-<redact>-onmicrosoft-com; > > > h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; > bh=..... > It's common for some mailing lists to not modify the From header and DKIM sign the mail they send based on the mailing list domain, not the From domain. Doing this is not strictly wrong. There are also other annoying cases, such as outlook invite accepts which spoof from addresses on purpose, which obviously doesn't work well in these scenarios. Enterprises also often have multiple domains, and not all of them may be configured on the O365 instance which is running as the company's outbound relay. Should they be catching the spam and not DKIM signing it? It would be nice, yesl, but that doesn't mean what they're doing would be wrong if the content wasn't spam. Brandon > > > On Tue, Nov 8, 2022 at 2:39 PM MRob via mailop <mailop@mailop.org> > > wrote: > > > >> Hello, > >> Microsoft doesn't limit FROM header spoof? I saw message like: > >> > >> Envelope from: example.user207@<redacted>.onmicrosoft.com > >> To: <address on my domain> > >> From: support@<fake domain made from *username* of recipient> > >> > >> For example if TO=rob...@example.com then FROM=supp...@robert.com > >> > >> Is too complicated for microsoft check the FROM header belong to the > >> senders account? > >> > >> Is best always reject mail from <anything>.onmicrosoft.com? > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop >
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
