On Thu, 10 May 2018 12:48:29 +0000 Paul Stead wrote: > On 10/05/2018, 13:46, "David Jones" <djo...@ena.com> wrote: > > >Do you have a reason to think that that's possible? > >It doesn't seem very likely, but there are some default whitelist > >entries that should go if it is. > > Anyone on O365 not using webmail or > Outlook can spoof any other O365 customer using authenticated SMTP to > smtp.office365.com where they can control the envelope-from and > From: header and the SPF check will pass. The only thing stopping it > is Microsoft's ability to detect unusual activity.
My experience with gmail is that they rewrite the envelope. I expected O365 to do the same. > > Not only is it possible - I've had actual examples of this happening > on our platform, spoofed Envelope-From spam sent through O365 and the > SPF passing... > In that case the following domains should be moved from 60_whitelist_auth.cf to 60_whitelist_dkim.cf: usps.gov hilton.com accountprotection.microsoft.com theupsstore.com logmein.com lastpass.com amtrak.com druryhotels.com ticketmaster.com adt.com homedepot.com And the following should be removed from 60_whitelist_spf.cf: match.com silicon.com
