Forum Discussion

acstech1's avatar
acstech1
Copper Contributor
Jan 21, 2019

Why are my users getting spoofed messages when I have SPF, DMARC, DKIM enabled?

Recently, I had a user forward an email to me that was from a spoofed email account in our organization (the email was from an outside email server and had been relayed off another mail server with a spoofed Mail From).

According to MX Toolbox's header analyzer, the message failed these tests which should cause the message to be rejected:

 

SPF check failed 

DKIM check failed

DMARC check failed

 

For example, our SPF records designate anything that does not originate from Office365 or our company network should be rejected. This did not work.

I have DKIM and DMARC setup, as well, and all of these services are authenticated in the Office365 system.

 

What's going on?

  • Well it seems to me like the message was correctly identified as spam/spoof, what is most likely happening is that a "safe sender" setting is interfering, either on the user or tenant level. You should also check the high/low confidence spam action settings. What are the message SCL and PCL scores?

    • acstech1's avatar
      acstech1
      Copper Contributor

      I checked the recipients settings and none of the originating domains are on their safe senders list. 

       

      Someone in another forum mentioned an exploit in which an outside user can setup a connector on their O365 and it could cause the message to bypass O365 spam detection. I am not familliar with this exploit.

       

      I have relay set to only allow from our onsite IP address range.

       

      The forums won't let me attach the header as a txt file. I've scrubbed the sensitive information from our end and pasted the header below:

       

      Received: from SN6PR07MB4365.namprd07.prod.outlook.com (2603:10b6:405:5e::42)
      by BN7PR07MB4353.namprd07.prod.outlook.com with HTTPS via
      BN6PR2201CA0029.NAMPRD22.PROD.OUTLOOK.COM; Fri, 18 Jan 2019 22:27:40 +0000
      Received: from BYAPR07CA0028.namprd07.prod.outlook.com (2603:10b6:a02:bc::41)
      by SN6PR07MB4365.namprd07.prod.outlook.com (2603:10b6:805:57::14) with
      Microsoft SMTP Server (version=TLS1_2,
      cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1516.15; Fri, 18 Jan
      2019 22:27:38 +0000
      Received: from CO1NAM04FT022.eop-NAM04.prod.protection.outlook.com
      (2a01:111:f400:7e4d::209) by BYAPR07CA0028.outlook.office365.com
      (2603:10b6:a02:bc::41) with Microsoft SMTP Server (version=TLS1_2,
      cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1537.27 via Frontend
      Transport; Fri, 18 Jan 2019 22:27:38 +0000
      Authentication-Results: spf=none (sender IP is 212.124.108.234)
      smtp.mailfrom=productos.com.co; MYDOMAIN.com; dkim=none (message not signed)
      header.d=none;MYDOMAIN.com; dmarc=fail action=oreject
      header.from=MYDOMAIN.com;compauth=fail reason=000
      Received-SPF: None (protection.outlook.com: productos.com.co does not
      designate permitted sender hosts)
      Received: from mail.comsisnet.com (212.124.108.234) by
      CO1NAM04FT022.mail.protection.outlook.com (10.152.90.167) with Microsoft SMTP
      Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
      15.20.1471.13 via Frontend Transport; Fri, 18 Jan 2019 22:27:37 +0000
      Received: from localhost (localhost [127.0.0.1])
      by mail.comsisnet.com (Postfix) with ESMTP id 54F7E142364
      for <USER1@MYDOMAIN.com>; Fri, 18 Jan 2019 17:45:51 -0500 (-05)
      Received: from mail.comsisnet.com ([127.0.0.1])
      by localhost (mail.comsisnet.com [127.0.0.1]) (amavisd-new, port 10032)
      with ESMTP id P9-3v-WMDoiW for <USER1@MYDOMAIN.com>;
      Fri, 18 Jan 2019 17:45:50 -0500 (-05)
      Received: from localhost (localhost [127.0.0.1])
      by mail.comsisnet.com (Postfix) with ESMTP id 5E6A21500A6
      for <USER1@MYDOMAIN.com>; Fri, 18 Jan 2019 17:45:50 -0500 (-05)
      X-Virus-Scanned: amavisd-new at mail.comsisnet.com
      Received: from mail.comsisnet.com ([127.0.0.1])
      by localhost (mail.comsisnet.com [127.0.0.1]) (amavisd-new, port 10026)
      with ESMTP id 3nVxwu90PFrP for <USER1@MYDOMAIN.com>;
      Fri, 18 Jan 2019 17:45:50 -0500 (-05)
      Received: from 10.9.20.26 (200-71-186-82.static.telcel.net.ve [200.71.186.82])
      by mail.comsisnet.com (Postfix) with ESMTPSA id 9A23FCAED5
      for <USER1@MYDOMAIN.com>; Fri, 18 Jan 2019 17:45:49 -0500 (-05)
      Date: Fri, 18 Jan 2019 18:23:16 -0400
      From: USER 2 <USER2@MYDOMAIN.com>
      To: <USER1@MYDOMAIN.com>
      Message-ID: <15555712253192518038.5BA1A4B9EA82CFB4@MYDOMAIN.com>
      Subject: Artwork & Invoice
      MIME-Version: 1.0
      Content-Type: multipart/mixed;
      boundary="----=_Part_8115_1960952945.12853567193974151674"
      Return-Path: carolina.valencia@productos.com.co
      X-MS-Exchange-Organization-ExpirationStartTime: 18 Jan 2019 22:27:37.8449
      (UTC)
      X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
      X-MS-Exchange-Organization-ExpirationInterval: 2:00:00:00.0000000
      X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
      X-MS-Exchange-Organization-Network-Message-Id:
      a18157f4-a1d7-4661-fe7c-08d67d9426c2
      X-EOPAttributedMessage: 0
      X-EOPTenantAttributedMessage: 102ad7f5-fd33-4fd4-b34f-eedc37df348f:0
      X-MS-Exchange-Organization-MessageDirectionality: Incoming
      X-Forefront-Antispam-Report:
      CIP:212.124.108.234;IPV:NLI;CTRY:US;EFV:NLI;SFV:SKA;SFS:;DIR:INB;SFP:;SCL:-1;SRVR:SN6PR07MB4365;H:mail.comsisnet.com;FPR:;SPF:None;LANG:en;
      X-Microsoft-Exchange-Diagnostics:
      1;CO1NAM04FT022;1:HetE1O0Ly62Uc4ODb0wwC7QPG4y+JY1LLL3tWWRXaXHq+oU0TKgJAtvka1SEPee9ATNa99agkSbVGFNCOAh8SIZd+7K5KQZPleV+vcqtHXxidfC+6H2VGCes0efX2npe
      X-MS-Exchange-Organization-AuthSource:
      CO1NAM04FT022.eop-NAM04.prod.protection.outlook.com
      X-MS-Exchange-Organization-AuthAs: Anonymous
      X-MS-PublicTrafficType: Email
      X-MS-Office365-Filtering-Correlation-Id: a18157f4-a1d7-4661-fe7c-08d67d9426c2
      X-Microsoft-Antispam:
      BCL:6;PCL:0;RULEID:(2390118)(7020095)(4652040)(5600109)(711020)(4605076)(4710035)(4613076)(4712035)(1401299)(1421009)(1403068)(71702078);SRVR:SN6PR07MB4365;
      X-Microsoft-Exchange-Diagnostics:
      1;SN6PR07MB4365;3:SAAPgOnyRygJ1+YuHGTr9aa/QB25t8uIv5VgVYiTMYvoMxrQCeASm4PubeMRmFaLI8tOTR1EygwgHk3c7le0cioIGeV+wwVH86lmTNaiqDtR5gWZlSf3TL4rcCb6beTU4OAGLGLjJsR7bs7kdaG320Icx6pxHlf9F5lh9B6eFfs3wCE5K4qkNbKjxTYtw/wM5SOuS0+F48siz6YSzx8xHbhBDDXBwhuWERZFmjjhk32uu7jI8cJo5yQy5FWW4hIYUeWtkNIzemA610g9WQigmeKP5y/KL5p8tS85z5Z/uzQUYlRM0Cx6IdOvOcFC7y1yJVbMq1WrHEvSWxBk7F5bnqyeBmzle1QGffZdReHw1AyAq8ONWOPsOdqLi2gvkhbi;25:dPfpFddorovPpeJ3BeT+/tpItJa0Jw5f0fxgsA22DS8PfIvxGPT/JJQcRWgukj3mw7oC+aqzkDv8lHyFu6BgGJv5ggsWLXWJHax4Xzb+IkM6P/pQB9fFvVi6ecfzRZQ2Oj2nedp/jfa3W3vlaWWSuTCjQlhA8peAXLsSA4k2Zx63ooQh7j7eDZzE3y8G9cTLlZXUzu4xGJGBNjrm4DzNVLNqxuGEP/wowZCBs188nH/SjmYFIdA8CEswtwgU6a6Ibwihp4AGaUmMeslUDOyRMaosbDNb2l18zRvDQSB/AffqdBv5cx/OJzSbeSRkct85J+sk93/4k9xMY3vQEuryrg==
      X-MS-TrafficTypeDiagnostic: SN6PR07MB4365:
      X-Microsoft-Exchange-Diagnostics:
      1;SN6PR07MB4365;31:TOWhrRMQaIcGDF+skb073rVtd8jj1aLHbl5AVW83q1R0lBXVXaLe/p77d0X+5FO5Dc/YhEJS2gCNuw2peZOfexNXK5aFvgHv8Ka71yEpmCOtYRWQYDA0DrxewwShVQaiCE2w7grqDahEczviUIp618ni5O5DRvn3mu5FRU6QhDhYa4cSf0aA7W6CahMgI6l8yzf6UXh1QehgP7Zzma+JGs8cxjwVhwqMCUt1AiQ2llk=;20:E40xDM1aMHaHYRFTEHMviqZVkzbktzOuyAzunVXjtstPdNi5L2JDT0aSVG2JwZqkTKQD6kugNxLCfXzW37CHhzxpHfwrMwmK6B/OSC3FVEON5tMsfuWP3EJQvlzfV03HuqtpJGvbQ/U1gxY7rgNbEb/FzYSaHZ4E5/h/zpJtrFnTZ1K+6x3OyIXxi7xO8XilvxQKMpWRYvBgEsh/n0vuvrOnyUYYTzsuQHUQPPa+jjVGDJRYceR/PqLgemRaWRLwdJjWgKitIdHzPNMyqcUz+Qw1+CdCjq27za1u0H4RrWmVmEAyxWvCnWz6kT1YoaK5aWwaul1sH6SQ6rCT3/yw/4W5eOf2Y4NX+XiLIRSS5LAfL2Dr8Jmn1RWtL0njXf56fKQePJGk/xBbKGubQOnGsUFnTK6RBUEQY2Nj6hN4X4VZO60ySMx7E6s0rvZ3hjz/EukKiMZGYoRxJQzEU1zQ9fhrOpmcc8uecKb+8LbBqVX1FzzusaIlkuidJZ7RYxz9
      X-Microsoft-Exchange-Diagnostics:
      1;SN6PR07MB4365;4:XXK2U0utE4eihRl+6nfj89bKk5H2f1YnDAjj3AUzPonFPt8mkc6XVoZ6Z7Fv4Sz1GVzFKpbHCT5FKfXQKOg2ha9l9dffidn5fMBkpPK2I2d+e04Y5/2JRxRG/CYs7MInk8UGGBK9V9PJmC1mjKrsJyQpHQcfFuCVlaN9Be2tr3dIIidoELjZB3TwozoPbWpZIuBFtOYTFr4LEHCsbNa9MPxoZeygblSCapzPHZECCujlODsPk+QV47+JzbXnvlxss7SH/qRNZIxn2iRPSVo7rG0KAxmdZaoo/CpXgr/0HrM=;23:o5/vXLQyVr0AyciuC8JiIy96umJ2gni5j1NBUpfLuoanzS7081pYRNiMrFx16AAaYpy6vYe+kY8nUiIpuRu01Up9ahI7n5naqHquo4k5jBG6vazdwTnAPObJDXO7vpe9mGGociIl5Tur8HCpSwPh4g==;6:OCj8uVnrLCZTtQy2N/vPaxa2Ve6FG9rGyMsoVhdTRQ//6S2Qhw/dko34MUDJ2pfwDf9TaO9zVpwI5LJTA6iZFMQo0JwK9cefTH+C85u9E+RD4/rKH/5pXOFdH/qWyyT5g0N0dOT1y3/xJ2Jz5gO0zc9KJ8MkG8+z0eeLQYCk3RXtQqWhsl9o8a300mYBP3YHm9vxuk2cDsN+c6gf4r0goM+jHUv5KaJlnedTwI9T9mKxfoDPdSzFEmc71nUwb6+s8ft9m2WTxIOBBQXKKFVAOIqqb90KRdcuFJGztySzISTfA0//UwS7Xbo9VxFhtZ3gh6oAbByD1s0UtWSEBle3LGyzwIsTg94CqReu5mZ29+jzi0l8XBGM3GlWl4CRIfKsuTy5HIE6hEmfOYdkCP5ytC5Xaxe5gGSU46BERIkPZCE5koV5Y75pi1Pxf8fnXUKoBwkrzp/60qO4QtvRsEA87A==
      X-MS-Exchange-Organization-SCL: -1
      X-Microsoft-Exchange-Diagnostics:
      1;SN6PR07MB4365;5:0/6sqEzZAyxxLh6t6KDX8CBBunjNuxcp/IRzPFgeVOHkgsM7qlJg28dGeCQL0jK/NvLgrCHop9lydRUzyBzzG9MG7pTxxetkrqLWHBXyfIIiGuE8TPq9VN0XsiyxgbHt8wF2NJMrZD7yJwwg7sbBch8tw3XDqUgSFFOR6NTujcJRLR+3mMYWmqbUPimdAJsw9RFnNFPikcpWD/dPG9ToJA==;7:IRLonrA/Dbx7XhS47Z09qQEN9fWRD3J5W8WLC00M0W1/JyjoEs+jogJtJwvEJchuC9lDoMsIAc8YGy6kuomzFcprGhvW+MqRCk6j7o6pJgLk+Al3byxMV7I+3qH434wLQP69yh4cQjh6j3LggkSt7g==
      SpamDiagnosticOutput: 1:24
      SpamDiagnosticMetadata: Default
      X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Jan 2019 22:27:37.4386
      (UTC)
      X-MS-Exchange-CrossTenant-Network-Message-Id: a18157f4-a1d7-4661-fe7c-08d67d9426c2
      X-MS-Exchange-CrossTenant-Id: 102ad7f5-fd33-4fd4-b34f-eedc37df348f
      X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
      X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR07MB4365
      X-MS-Exchange-Transport-EndToEndLatency: 00:00:03.0870920
      X-MS-Exchange-Processed-By-BccFoldering: 15.20.1537.000
      X-Microsoft-Exchange-Diagnostics:
      1;BN7PR07MB4353;9:vPW6TAGyoKmb/FJQBPVY2+xOp+Ptc66QuJdyG5sYNFpZ6ejy/Blsr0s3/MC6VUeW9mWM+hahisDL1cMRMz5INpJy7IVLoBGAnARurykW3Ob/DFWzzUTzOje0ghf5a+sQeffG24rH/SCxwsfP3yjeo/aXvuQHRi7JEx3wC3SPzaw=
      X-Microsoft-Antispam-Mailbox-Delivery:
      ucf:1;jmr:0;ex:0;auth:0;dest:I;OFR:CustomRules;ENG:(750119)(520011016);
      X-Microsoft-Antispam-Message-Info:
      =?us-ascii?Q?kEeHv/iVZpomnhw0iCk5nqiMosnyimPbjrt5QRXze+EhYq6YxG1NH5j5ejJe?=
      =?us-ascii?Q?fxhlIOlt3D6Wcwr7p0E5106e+VwVjNsJJn0Y+EsyqgTjdvajP68jiUZ3cDRh?=
      =?us-ascii?Q?QhLEHuzRruvqsfK3LIV/jyjXsncqW0zhRsLX0tJgFOQkzppIwsM2y0oXbb6i?=
      =?us-ascii?Q?uOAoGuhk+S1CPagXWtChh4aa4v47BPzaunz+GDVtnlrvjP+LWYoEmGf7T2bP?=
      =?us-ascii?Q?jyQNbSriIVaWyCsTHmlBdB/34QvXBIoaHMOBm0nlaliff5K/HiuTODZ3T/OD?=
      =?us-ascii?Q?4fIcqvMJj3Uf5E+TlrzQ4dQR8+DmepMYqD4iXdUM5riod49/AuSfvklIwyJC?=
      =?us-ascii?Q?VfqzntPY0JRWSbSEGq400wpYlsuXv1L7el2IUGRewbO1q+dtq5JkhIjwUp99?=
      =?us-ascii?Q?w3C6QS9PjuT5MxJAJYMxJ3FbOpiSFAr7bK5q8IMVCoH8yiQ2/CKXHnIGt2De?=
      =?us-ascii?Q?Ks+eyA+uW8dMswNN8JwnnzQB3lCRDkFQu0XTpeLWaS/ychL6RBi01fZeSDCX?=
      =?us-ascii?Q?saggQUxOVB8Os7c/HYF16N1CWblg3gfPYFzHi1nKgp1we4lgq84yZ9UNpnY1?=
      =?us-ascii?Q?ju2Cag0WkXdIRgsC4NYN5pkw8CgN/WekHx3YIqH2ufT60d1gkruI2F43Q7Ev?=
      =?us-ascii?Q?mDsKygT6F/LdTsD5rNfDMe1X9niZ2vIHbQ1M3DoU1XWaw3xPA/dnlNKM45rL?=
      =?us-ascii?Q?bfoJmXZchUKgeKeUYGo70naHuOVqTZKLgc5jPOULnKzeWY1aud9EXyN8wsH3?=
      =?us-ascii?Q?v9yHtAXiKz8r/Of3EOSiJxAgtC1uW0YoUsYLOedwj/j5OZanq/g4nf+idkSO?=
      =?us-ascii?Q?wIXS9fuxKlsmLmCyFqD1rMIxvWpXVdFp9X7WdUuAwtG6zvvartw+vowxoUJk?=
      =?us-ascii?Q?GccnsNESr9YLzzWfVONq30XbQjVj/BvXr4pmhCNQsEfsLkdFUKj1pDRowcfD?=
      =?us-ascii?Q?cCBLkbQJ7Nmn0MAxNR5UnEXvXsTJn+So00J7wfrlOmerdJK+dZkavdBL/LWh?=
      =?us-ascii?Q?36PuR64ej5IUzKMFIe50cFQ6Fe1FpA95N1qzD01lvYaybbpeYqkJKn7TxDhf?=
      =?us-ascii?Q?RFoveqSvyXxOSJ7/ZTpcQqB8UWHPczJybbAtyfi/OFRlG9KzS9uqDYY5Kvmu?=
      =?us-ascii?Q?HgZJJHNj97+I4mQWL3U2BwRnOhi+jcDXVWVi7QQrjjDx1us0HgVtwQYyfaN4?=
      =?us-ascii?Q?3J61V3g+oUBOWnAwERRzmFA47hoCCdl0YZig2J/2yJu8PgssKHKbyrZv3t3W?=
      =?us-ascii?Q?/lAum8CThg1iz55MDMe3wygELJAQN/O7HHf9osnD30fWIkP4JpKVNOci4JPE?=
      =?us-ascii?Q?WoI=3D?=
      X-Microsoft-Exchange-Diagnostics:
      1;BN7PR07MB4353;27:pzBSGxd+Q+Wcz1YLQB6EoAIiu5QhoXf0Rcxz40L9UNH92GqZtxLPvSNuMCJaewB5FNLmfvFopndOHEF9HDMi6JclbtceGCWiN/dh1i4WImIQRBX1zbxRhujhF/9wNzylC8tTdHesMrjnKBW2h4D84sBzncuoQIcERuxHqIh42I+sbPGnVDP7ylOhgCA97bG+n5pnKtQkCnAHq4z6MQfsXD0/z6Z88RQOZ2ex09tBec9IA/OKispaVBVaLezIuaY1LLS+wGzp1PyvHcrFDisdR+ZVgSjSJcmQIWKGAm6WqsJ7FYFaxvEa5X204XR/Kw5jEDjp6AZ01t4UeZR6M/NcPCrowriZf6VcTAcsOgtYKphr/kYVNlpwASWRDOA+Skv1

       


      X-Microsoft-Antispam:
      BCL:6;PCL:0;RULEID:(2390118)(7020095)(4652040)(5600109)(711020)(4605076)(4710035)(4613076)(4712035)(1401299)(1421009)(1403068)(71702078);SRVR:SN6PR07MB4365;

       

      X-MS-Exchange-Organization-SCL: -1

       

       

       

      • The SCL score of this message is -1, meaning that the anti-spam action was bypassed due to "trusted sender" or similar exception, as suspected. In particular, the SFV:SKA value indicates, that you have allow list as detailed here: https://docs.microsoft.com/en-us/office365/securitycompliance/anti-spam-message-headers

         

        SFV:SKA The message skipped filtering and was delivered to the inbox because it matched an allow list in the spam filter policy, such as the Sender allow list.

         

        There's nothing wrong on Microsoft side, it's admin/user configuration that is allowing this message to pass through the antispam filter. Check your policy settings, transport rules and the mailbox settings.

  • acstech1's avatar
    acstech1
    Copper Contributor

    Anybody else with any ideas? This is a serious security issue, especially if the exploit I mentioned above is real.

    • acstech1's avatar
      acstech1
      Copper Contributor

      Not sure if this is still true but I found an old post in a message group that Microsoft ignores DMARC values because of concern that too many companies screw up their DMARC and it would lead to too many returned messages.

      http://lists.dmarc.org/pipermail/dmarc-discuss/2015-November/003327.html

       

      I know that a lot of other email providers do. When I first set it up, I set the reporting component up to send reports to me and I got reports from hosts like Yahoo and Comcast.

  • IJN007's avatar
    IJN007
    Copper Contributor
    Did you ever resolve this issue? It started happening to one of my users on December 12, 2022. Had never had that before, and none of my settings have been changed.

Resources