[194286] in North American Network Operators' Group
Re: Microsoft O365 labels nanog potential fraud?
daemon@ATHENA.MIT.EDU (Mark Andrews)
Thu Mar 30 00:24:56 2017
X-Original-To: nanog@nanog.org
To: Alan Hodgson <ahodgson@lists.simkin.ca>
From: Mark Andrews <marka@isc.org>
In-reply-to: Your message of "Wed, 29 Mar 2017 15:03:20 -0700."
<2066629.BbQ8KXnJic@skynet.simkin.ca>
Date: Thu, 30 Mar 2017 15:21:30 +1100
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
In message <2066629.BbQ8KXnJic@skynet.simkin.ca>, Alan Hodgson writes:
> On Wednesday 29 March 2017 14:28:30 Carl Byington wrote:
> > For an example of that (unless I am misunderstanding something), we
> > have:
> >
> > --> Hello marketo-email.box.com [192.28.147.169], pleased to meet you
> > <-- MAIL FROM:<$MUNGED@marketo-email.box.com>
> > <-- RCPT TO: ...
> >
> > dkim pass header.d=mktdns.com
> > rfc2822 from header = $MUNGED@email.box.com
> >
> >
> > dig _dmarc.email.box.com txt +short
> > "v=DMARC1; p=reject; ..."
> >
> > dig email.box.com txt +short
> > "v=spf1 ip4:192.28.147.168 -all"
Well you should be checking the correct TXT record for SPF.
dig marketo-email.box.com txt +short
"v=spf1 ip4:192.28.147.168 ip4:192.28.147.169 -all"
> > So given the dmarc reject policy, it needs to pass either spf (which
> > fails 192.28.147.168 != 192.28.147.169), or dkim (which fails since it
> > is not signed by anything related to email.box.com.
> >
> > Am I missing something, or is that just broken?
>
> That appears to be broken. The -all on the SPF record alone breaks it, since
> receivers should refuse it at that point. But yeah the DMARC is also broken.
>
> Interestingly, the mail I've seen recently from email.box.com has multiple
> signatures, one of which is from email.box.com. And it originated from
> 192.28.147.168. Weird.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
