[194277] in North American Network Operators' Group
Re: Microsoft O365 labels nanog potential fraud?
daemon@ATHENA.MIT.EDU (Carl Byington)
Wed Mar 29 17:28:36 2017
X-Original-To: nanog@nanog.org
From: Carl Byington <carl@five-ten-sg.com>
To: nanog@nanog.org
In-Reply-To: <15539534.4rWtqb57Ip@skynet.simkin.ca>
Date: Wed, 29 Mar 2017 14:28:30 -0700
Errors-To: nanog-bounces@nanog.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Wed, 2017-03-29 at 09:24 -0700, Alan Hodgson wrote:
> So for DMARC+SPF to pass not only must the message come from a source
> authorized by the envelope sender domain, but that domain must be the
> same domain (or parent domain or subdomain) of the header From:
> address.
> For DMARC+DKIM to pass, the DKIM signature must pass and the DKIM
> signing domain must be the same domain (or parent domain or subdomain)
> of the header From: address.
> Again, DMARC requires only one or the other mechanism to pass. So
> messages forwarded intact should be OK if they have an aligned DKIM
> signature.
Brad Knowles wrote:
> ...and it's easy to set things up in a way that you wind up shooting
> yourself in the foot -- and possibly with a large thermonuclear
> device.
For an example of that (unless I am misunderstanding something), we
have:
--> Hello marketo-email.box.com [192.28.147.169], pleased to meet you
<-- MAIL FROM:<$MUNGED@marketo-email.box.com>
<-- RCPT TO: ...
dkim pass header.d=mktdns.com
rfc2822 from header = $MUNGED@email.box.com
dig _dmarc.email.box.com txt +short
"v=DMARC1; p=reject; ..."
dig email.box.com txt +short
"v=spf1 ip4:192.28.147.168 -all"
So given the dmarc reject policy, it needs to pass either spf (which
fails 192.28.147.168 != 192.28.147.169), or dkim (which fails since it
is not signed by anything related to email.box.com.
Am I missing something, or is that just broken?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iEYEAREKAAYFAljcJe4ACgkQL6j7milTFsFUMwCfT4Wgr0kUHjhVPvi0wER3Nfz+
osAAni5YH25tTCGk49jESd5NOKVk3Okd
=JL7y
-----END PGP SIGNATURE-----
