A tip for mailing list operators to interoperate with DMARC to avoid failures

One of the problems with DMARC is how mailing lists deal with participants that publish p=reject records. The domain owner has published a policy to prevent spoofing, but all of the various participants on the mailing list may be affected. This includes people within an organization that previous were taking part in technical discussions, but…

1

A quick overview of Outlook.com (Hotmail) sender support

Over the past two months, I have taken on a role to deal with deliverability and user complaints for Outlook.com (Hotmail). The main areas of focus are reducing user spam complaints, and helping to streamline the process for senders when they get blocked from delivering to Outlook.com. This includes fixing bugs in the spam filtering…

0

If you want to send to Outlook.com, send with a valid From: address

I’ve been quiet on this blog for a couple of weeks, and that’s because I’ve been helping out addressing some of the spam complaints in Outlook.com. The biggest issue we’ve seen recently is spam from invalid senders. This is an email where the From: address is not RFC compliant, and does one of two things:…

1

The difference between adding Safe and Blocked senders in Outlook, vs. Outlook.com

I’m currently doing a bunch of work around making Outlook.com better, and one the things I’ve noticed is different is how you add to your Safe and Blocked senders list when you use a desktop client like Outlook, vs. when you use the web UX in either Outlook.com (our consumer email product) or Outlook Web…

4

Would a DMARC reject record have prevented Donald Trump from getting elected?

One of the reasons I just wrote that four part series on where email authentication is helpful against phishing, and where it is not-so-helpful, is because I wanted to examine the John Podesta email hacks. In case you’re not aware, John Podesta was the Chair of the Democratic Campaign to elect Hillary Clinton for President…

5

Where email authentication falls flat at stopping phishing – impersonation attacks using display tricks

In this series so far, we’ve seen how email authentication is a great thing at stopping phishing under some circumstances, and where it isn’t that useful in other circumstances. A circumstance where it isn’t that useful is a variant of Business Email Compromise (BEC) that we call an Impersonation Attack. An Impersonation Attack is when…

1

Where email authentication is potentially great – protecting against spoofing from domains with weak authentication

So, in the past couple of posts, I’ve talked about how email authentication is not that great against phishing attacks that use random parameters in the sender, but is well-designed to work against springboard spear-phishing attacks. There’s another scenario where it is simultaneously well-positioned to protect against spear-phishing, yet not in a good position to…

0

A security story that is kind of disturbing

I’ve got a story for you. As a security person, it’s a little disturbing. I was driving in the car with my wife yesterday who works in the health care industry (she’s not a doctor). She was telling me that earlier that day, she was trying to email a file to some other organization and…

2

Where email authentication is not so great at stopping phishing – random IT phishing scams

On this blog, I’ve written a lot about email authentication and preached its virtues. If you are a domain owner, you should definitely set up SPF, DKIM, and DMARC records both so that emails to you can be identified between authentic and not, and so that other email receivers (e.g., Gmail, Hotmail/Outlook.com, Comcast, etc.) can…

1

Troubleshooting the red (Suspicious) Safety Tip for fraud detection checks

Introduction It has now been about 8 months since we released our antispoofing protection in Office 365, a feature that defends against Business Email Compromise, where the From and To domains are the same. You can read more about that feature at http://aka.ms/AntispoofingInOffice365. To summarize, it defends against others spoofing your domain in the From:…

8

Hotmail/Outlook.com evaluates DKIM a little differently than Office 365

If you’re a user in Hotmail, Outlook.com, or any other of Microsoft’s consumer email services, you may notice that it evaluates DKIM a little differently than you might expect (you would only notice this mostly as someone who is trying to troubleshoot delivery, as an average user you probably wouldn’t notice it at all unless…

10

Messages going to Junk even though they aren’t spam? Check to see if you have Safe-Lists-Only enabled

Recently, I’ve been seeing a spike in customer escalations saying that messages that aren’t marked as spam are nevertheless getting sent to the Junk Mail folder. This is despite the message headers indicating that the message is non-spam, that is, the X-Forefront-Antispam-Report header says “SFV:NSPM” (Spam Filter Verdict: Non-spam) and “SCL:1”. The most common reason…

5

How we moved microsoft.com to a p=quarantine DMARC record

In case you hadn’t noticed, Microsoft recently published a DMARC record that says p=quarantine: _dmarc.microsoft.com. 3600 IN TXT “v=DMARC1; p=quarantine; pct=100; rua=mailto:d@rua.agari.com; ruf=mailto:d@ruf.agari.com; fo=1” This means that any sender transmitting email either into Microsoft’s corp mail servers or to any other domain that receives email, and the message is spoofed (it doesn’t pass SPF or…

5

Sending mail with invalid From: addresses to Office 365

One of the changes to go into Office 365 in the past year is an antispam rule that rejects on messages with an invalid From: address. When this occurs, the message is rejected with: 550 5.7.512 Access denied, message must be RFC 5322 section 3.6.2 compliant and include a valid From address If you look…

13