[194244] in North American Network Operators' Group
Re: Microsoft O365 labels nanog potential fraud?
daemon@ATHENA.MIT.EDU (Mel Beckman)
Wed Mar 29 06:17:27 2017
X-Original-To: nanog@nanog.org
From: Mel Beckman <mel@beckman.org>
To: DaKnOb <daknob.mac@gmail.com>
Date: Wed, 29 Mar 2017 10:17:17 +0000
In-Reply-To: <94D4DAA8-34FD-4104-B233-84585C590900@gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Antonia's,
Thanks for the very clear explanation. I use DKIM and SPF, but didn't know =
about this corner case. I'm surprised the SPF, etc architects missed it, or=
seem to have. In any event, I seem to be getting all the messages.
-mel beckman
> On Mar 29, 2017, at 12:04 AM, DaKnOb <daknob.mac@gmail.com> wrote:
>=20
> Usually mailing lists act like e-mail spoofers as far as SPF and DKIM is =
concerned. These two systems above try to minimize spoofed e-mail by doing =
the following:
>=20
> SPF: Each domain adds a list of IP Addresses that are allowed to send e-m=
ail on their behalf.=20
>=20
> DKIM: Each email sent by an "original" mail server is cryptographically s=
igned with a key available, again, in the DNS.
>=20
> When you send an e-mail to a list, you send it to the mailing list mail s=
erver. After that, of the server forwards that e-mail to the recipients, it=
s original address is shown, therefore if Outlook checks for SPF records, t=
hat check will fail. An easy way to get around this is for the list to chan=
ge the From field to something else, like "Mel Beckman via NANOG" and a loc=
al email address.
>=20
> However, when you send that email, it may also be signed with DKIM: any c=
hange in subject (say "[NANOG]" is added) or the body (say "You received th=
is email because you subscribed to NANOG" is appended) will also cause that=
check to fail.=20
>=20
> Typically the behavior of the recipient if one or both of these checks fa=
iled is described in yet another DNS record, called a DMARC Policy. Some se=
t this to very strict levels (reject e-mail / send to spam), some others to=
warn the user (like what you saw?), and some others, knowing this happens,=
to ignore/notify.
>=20
> This message probably appears because of the above SPF / DKIM / DMARC com=
bo but I can't be 100% sure from the provided info.
>=20
> In any case, this is likely not your fault. If you want to be sure, verif=
y the contents of the e-mail against the public NANOG archive which is avai=
lable over HTTPS. My guess is that nothing has been changed.=20
>=20
> Thanks,
> Antonios=20
>=20
>> On 29 Mar 2017, at 03:22, Mel Beckman <mel@beckman.org> wrote:
>>=20
>> Is anyone else getting this message on every nanog post today?
>>=20
>> "This sender failed our fraud detection checks and may not be who they a=
ppear to be. Learn about spoofing at http://aka.ms/LearnAboutSpoofing<http:=
//aka.ms/LearnAboutSpoofing]>"
>>=20
>> I don't know if this link itself is malware, as it goes to the MS store,=
or if something is broken in the Nanog Mail machine.
>>=20
>> If it's just me, never mind. I'll figure it out.
>>=20
>> -mel beckman
