On 05/10/2018 01:32 PM, RW wrote:
On Thu, 10 May 2018 09:55:00 -0500
David Jones wrote:
On 05/10/2018 09:39 AM, RW wrote:
Microsoft has a list of domains it hosts and a list of hosted
domains (and/or its own addresses) tied to each account. Given how
much reliance MS place on DMARC's preventing spoofing, and how easy
it would be for them to prevent one user spoofing another's domain
on submission, I'd be very surprised if they allow it.
They do. I saw an example a few weeks ago.
The very fact that you are citing just one a few week ago strongly
suggests that they don't.
It's possible that it could have been months ago, I guess, so my memory
could be off. The fact that someone tested it recently and Microsoft
blocks it today is encouraging. Maybe they enabled this logic recently
to match what Google is doing which is the correct way to handle this
and prevent "SPF piggy-backing."
Paul Stead claims to have seen it, but it's important to positively
identify it as spoofing and not hacking.
Not sure what the difference is from a mail filtering perspective.
The difference is that if domains that include Micrsoft's SPF are as
wide open to spoofing as you suggest, they shouldn't have
def_whitelist_auth entries.
You are correct. When they were added this issue of "SPF piggy-backing"
wasn't an issue. It may have been known to be a potential problem but
wasn't being actively exploited like the toyrus.com was last year when I
first noticed it.
It's also possible that those whitelist_* domains have added the
"include:spf.protection.outlook.com" to their SPF record recently after
migrating their corporate mail hosting to O365. We don't have anything
actively monitoring whitelist entries for SPF record changes so we have
to rely on abuse reports to this list to remove/change them in SA.
--
David Jones
