On 06/09/2018 01:28 PM, Alex wrote:
Hi,
On a somewhat related note, I just noticed one of our customers have
listed spf.protection.outlook.com in their SPF record:
bestwesternnwcc.com. 600 IN TXT "v=spf1
include:spf.protection.outlook.com -all"
Doesn't this amount to thousands of IP addresses that could
conceivably be used to spoof any other domain that's "hosted" using
one of those IPs?
You are correct. We saw a spoofed toysrus.com email from a compromised
account on Office 365 posted on this mailing list in the last year
sometime. That means that someone can easily send a fake email from
O365 and pass SPF checks if Microsoft doesn't properly detect/prevent this.
I recall another thread on this list that said Microsoft forces webmail
and native Outlook clients to send within their own domain/organization
but I am pretty sure an AUTH SMTP client (i.e. Thunderbird, Apple Mail,
etc.) can specify an envelope-from domain outside of their own
domain/org. Maybe MS has blocked this recently but I know I have seen
this in the wild a year or two ago.
The best thing to do is get DKIM signing setup on your own domains and
try to move toward DMARC p=reject to prevent spoofing. This primarily
needs to be done by high profile domains first that are common
candidates to be spoofed. I doubt that anyone would really want to
spoof ena.com on a large scale but bestwesternnwcc.com could be valuable
to spoof.
--
David Jones
