Re: Microsoft O365 labels nanog potential fraud?

[Mark Andrews <marka () isc org>]

In message <2066629.BbQ8KXnJic () skynet simkin ca>, Alan Hodgson writes:
> On Wednesday 29 March 2017 14:28:30 Carl Byington wrote:
> > For an example of that (unless I am misunderstanding something), we
> > have:
> >
> >  --> Hello marketo-email.box.com [192.28.147.169], pleased to meet you
> >  <-- MAIL FROM:<$MUNGED () marketo-email box com>
> >  <-- RCPT TO: ...
> >
> > dkim pass header.d=mktdns.com
> > rfc2822 from header = $MUNGED () email box com
> >
> >
> > dig _dmarc.email.box.com txt +short
> > "v=DMARC1; p=reject; ..."
> >
> > dig email.box.com txt +short
> > "v=spf1 ip4:192.28.147.168 -all"

Well you should be checking the correct TXT record for SPF.

dig marketo-email.box.com txt +short
"v=spf1 ip4:192.28.147.168 ip4:192.28.147.169 -all"

> > So given the dmarc reject policy, it needs to pass either spf (which
> > fails 192.28.147.168 != 192.28.147.169), or dkim (which fails since it
> > is not signed by anything related to email.box.com.
> >
> > Am I missing something, or is that just broken?
>
> That appears to be broken. The -all on the SPF record alone breaks it, since 
> receivers should refuse it at that point. But yeah the DMARC is also broken.
>
> Interestingly, the mail I've seen recently from email.box.com has multiple 
> signatures, one of which is from email.box.com. And it originated from 
> 192.28.147.168. Weird.
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org