[194242] in North American Network Operators' Group
Re: Microsoft O365 labels nanog potential fraud?
daemon@ATHENA.MIT.EDU (DaKnOb)
Wed Mar 29 03:04:25 2017
X-Original-To: nanog@nanog.org
From: DaKnOb <daknob.mac@gmail.com>
In-Reply-To: <EAF7EE9D-5CDE-4D76-A953-2CD69F8A0CF0@beckman.org>
Date: Wed, 29 Mar 2017 10:04:16 +0300
To: Mel Beckman <mel@beckman.org>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Usually mailing lists act like e-mail spoofers as far as SPF and DKIM is con=
cerned. These two systems above try to minimize spoofed e-mail by doing the f=
ollowing:
SPF: Each domain adds a list of IP Addresses that are allowed to send e-mail=
on their behalf.=20
DKIM: Each email sent by an "original" mail server is cryptographically sign=
ed with a key available, again, in the DNS.
When you send an e-mail to a list, you send it to the mailing list mail serv=
er. After that, of the server forwards that e-mail to the recipients, its or=
iginal address is shown, therefore if Outlook checks for SPF records, that c=
heck will fail. An easy way to get around this is for the list to change the=
=46rom field to something else, like "Mel Beckman via NANOG" and a local em=
ail address.
However, when you send that email, it may also be signed with DKIM: any chan=
ge in subject (say "[NANOG]" is added) or the body (say "You received this e=
mail because you subscribed to NANOG" is appended) will also cause that chec=
k to fail.=20
Typically the behavior of the recipient if one or both of these checks faile=
d is described in yet another DNS record, called a DMARC Policy. Some set th=
is to very strict levels (reject e-mail / send to spam), some others to warn=
the user (like what you saw?), and some others, knowing this happens, to ig=
nore/notify.
This message probably appears because of the above SPF / DKIM / DMARC combo b=
ut I can't be 100% sure from the provided info.
In any case, this is likely not your fault. If you want to be sure, verify t=
he contents of the e-mail against the public NANOG archive which is availabl=
e over HTTPS. My guess is that nothing has been changed.=20
Thanks,
Antonios=20
> On 29 Mar 2017, at 03:22, Mel Beckman <mel@beckman.org> wrote:
>=20
> Is anyone else getting this message on every nanog post today?
>=20
> "This sender failed our fraud detection checks and may not be who they app=
ear to be. Learn about spoofing at http://aka.ms/LearnAboutSpoofing<http://a=
ka.ms/LearnAboutSpoofing]>"
>=20
> I don't know if this link itself is malware, as it goes to the MS store, o=
r if something is broken in the Nanog Mail machine.
>=20
> If it's just me, never mind. I'll figure it out.
>=20
> -mel beckman
