Forum Discussion
acstech1
Jan 21, 2019Copper Contributor
Why are my users getting spoofed messages when I have SPF, DMARC, DKIM enabled?
Recently, I had a user forward an email to me that was from a spoofed email account in our organization (the email was from an outside email server and had been relayed off another mail server with a...
VasilMichev
Jan 21, 2019MVP
Well it seems to me like the message was correctly identified as spam/spoof, what is most likely happening is that a "safe sender" setting is interfering, either on the user or tenant level. You should also check the high/low confidence spam action settings. What are the message SCL and PCL scores?
acstech1
Jan 21, 2019Copper Contributor
I checked the recipients settings and none of the originating domains are on their safe senders list.
Someone in another forum mentioned an exploit in which an outside user can setup a connector on their O365 and it could cause the message to bypass O365 spam detection. I am not familliar with this exploit.
I have relay set to only allow from our onsite IP address range.
The forums won't let me attach the header as a txt file. I've scrubbed the sensitive information from our end and pasted the header below:
Received: from SN6PR07MB4365.namprd07.prod.outlook.com (2603:10b6:405:5e::42)
by BN7PR07MB4353.namprd07.prod.outlook.com with HTTPS via
BN6PR2201CA0029.NAMPRD22.PROD.OUTLOOK.COM; Fri, 18 Jan 2019 22:27:40 +0000
Received: from BYAPR07CA0028.namprd07.prod.outlook.com (2603:10b6:a02:bc::41)
by SN6PR07MB4365.namprd07.prod.outlook.com (2603:10b6:805:57::14) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1516.15; Fri, 18 Jan
2019 22:27:38 +0000
Received: from CO1NAM04FT022.eop-NAM04.prod.protection.outlook.com
(2a01:111:f400:7e4d::209) by BYAPR07CA0028.outlook.office365.com
(2603:10b6:a02:bc::41) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1537.27 via Frontend
Transport; Fri, 18 Jan 2019 22:27:38 +0000
Authentication-Results: spf=none (sender IP is 212.124.108.234)
smtp.mailfrom=productos.com.co; MYDOMAIN.com; dkim=none (message not signed)
header.d=none;MYDOMAIN.com; dmarc=fail action=oreject
header.from=MYDOMAIN.com;compauth=fail reason=000
Received-SPF: None (protection.outlook.com: productos.com.co does not
designate permitted sender hosts)
Received: from mail.comsisnet.com (212.124.108.234) by
CO1NAM04FT022.mail.protection.outlook.com (10.152.90.167) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
15.20.1471.13 via Frontend Transport; Fri, 18 Jan 2019 22:27:37 +0000
Received: from localhost (localhost [127.0.0.1])
by mail.comsisnet.com (Postfix) with ESMTP id 54F7E142364
for <USER1@MYDOMAIN.com>; Fri, 18 Jan 2019 17:45:51 -0500 (-05)
Received: from mail.comsisnet.com ([127.0.0.1])
by localhost (mail.comsisnet.com [127.0.0.1]) (amavisd-new, port 10032)
with ESMTP id P9-3v-WMDoiW for <USER1@MYDOMAIN.com>;
Fri, 18 Jan 2019 17:45:50 -0500 (-05)
Received: from localhost (localhost [127.0.0.1])
by mail.comsisnet.com (Postfix) with ESMTP id 5E6A21500A6
for <USER1@MYDOMAIN.com>; Fri, 18 Jan 2019 17:45:50 -0500 (-05)
X-Virus-Scanned: amavisd-new at mail.comsisnet.com
Received: from mail.comsisnet.com ([127.0.0.1])
by localhost (mail.comsisnet.com [127.0.0.1]) (amavisd-new, port 10026)
with ESMTP id 3nVxwu90PFrP for <USER1@MYDOMAIN.com>;
Fri, 18 Jan 2019 17:45:50 -0500 (-05)
Received: from 10.9.20.26 (200-71-186-82.static.telcel.net.ve [200.71.186.82])
by mail.comsisnet.com (Postfix) with ESMTPSA id 9A23FCAED5
for <USER1@MYDOMAIN.com>; Fri, 18 Jan 2019 17:45:49 -0500 (-05)
Date: Fri, 18 Jan 2019 18:23:16 -0400
From: USER 2 <USER2@MYDOMAIN.com>
To: <USER1@MYDOMAIN.com>
Message-ID: <15555712253192518038.5BA1A4B9EA82CFB4@MYDOMAIN.com>
Subject: Artwork & Invoice
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_Part_8115_1960952945.12853567193974151674"
Return-Path: carolina.valencia@productos.com.co
X-MS-Exchange-Organization-ExpirationStartTime: 18 Jan 2019 22:27:37.8449
(UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 2:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id:
a18157f4-a1d7-4661-fe7c-08d67d9426c2
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 102ad7f5-fd33-4fd4-b34f-eedc37df348f:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-Forefront-Antispam-Report:
CIP:212.124.108.234;IPV:NLI;CTRY:US;EFV:NLI;SFV:SKA;SFS:;DIR:INB;SFP:;SCL:-1;SRVR:SN6PR07MB4365;H:mail.comsisnet.com;FPR:;SPF:None;LANG:en;
X-Microsoft-Exchange-Diagnostics:
1;CO1NAM04FT022;1:HetE1O0Ly62Uc4ODb0wwC7QPG4y+JY1LLL3tWWRXaXHq+oU0TKgJAtvka1SEPee9ATNa99agkSbVGFNCOAh8SIZd+7K5KQZPleV+vcqtHXxidfC+6H2VGCes0efX2npe
X-MS-Exchange-Organization-AuthSource:
CO1NAM04FT022.eop-NAM04.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: a18157f4-a1d7-4661-fe7c-08d67d9426c2
X-Microsoft-Antispam:
BCL:6;PCL:0;RULEID:(2390118)(7020095)(4652040)(5600109)(711020)(4605076)(4710035)(4613076)(4712035)(1401299)(1421009)(1403068)(71702078);SRVR:SN6PR07MB4365;
X-Microsoft-Exchange-Diagnostics:
1;SN6PR07MB4365;3:SAAPgOnyRygJ1+YuHGTr9aa/QB25t8uIv5VgVYiTMYvoMxrQCeASm4PubeMRmFaLI8tOTR1EygwgHk3c7le0cioIGeV+wwVH86lmTNaiqDtR5gWZlSf3TL4rcCb6beTU4OAGLGLjJsR7bs7kdaG320Icx6pxHlf9F5lh9B6eFfs3wCE5K4qkNbKjxTYtw/wM5SOuS0+F48siz6YSzx8xHbhBDDXBwhuWERZFmjjhk32uu7jI8cJo5yQy5FWW4hIYUeWtkNIzemA610g9WQigmeKP5y/KL5p8tS85z5Z/uzQUYlRM0Cx6IdOvOcFC7y1yJVbMq1WrHEvSWxBk7F5bnqyeBmzle1QGffZdReHw1AyAq8ONWOPsOdqLi2gvkhbi;25:dPfpFddorovPpeJ3BeT+/tpItJa0Jw5f0fxgsA22DS8PfIvxGPT/JJQcRWgukj3mw7oC+aqzkDv8lHyFu6BgGJv5ggsWLXWJHax4Xzb+IkM6P/pQB9fFvVi6ecfzRZQ2Oj2nedp/jfa3W3vlaWWSuTCjQlhA8peAXLsSA4k2Zx63ooQh7j7eDZzE3y8G9cTLlZXUzu4xGJGBNjrm4DzNVLNqxuGEP/wowZCBs188nH/SjmYFIdA8CEswtwgU6a6Ibwihp4AGaUmMeslUDOyRMaosbDNb2l18zRvDQSB/AffqdBv5cx/OJzSbeSRkct85J+sk93/4k9xMY3vQEuryrg==
X-MS-TrafficTypeDiagnostic: SN6PR07MB4365:
X-Microsoft-Exchange-Diagnostics:
1;SN6PR07MB4365;31:TOWhrRMQaIcGDF+skb073rVtd8jj1aLHbl5AVW83q1R0lBXVXaLe/p77d0X+5FO5Dc/YhEJS2gCNuw2peZOfexNXK5aFvgHv8Ka71yEpmCOtYRWQYDA0DrxewwShVQaiCE2w7grqDahEczviUIp618ni5O5DRvn3mu5FRU6QhDhYa4cSf0aA7W6CahMgI6l8yzf6UXh1QehgP7Zzma+JGs8cxjwVhwqMCUt1AiQ2llk=;20:E40xDM1aMHaHYRFTEHMviqZVkzbktzOuyAzunVXjtstPdNi5L2JDT0aSVG2JwZqkTKQD6kugNxLCfXzW37CHhzxpHfwrMwmK6B/OSC3FVEON5tMsfuWP3EJQvlzfV03HuqtpJGvbQ/U1gxY7rgNbEb/FzYSaHZ4E5/h/zpJtrFnTZ1K+6x3OyIXxi7xO8XilvxQKMpWRYvBgEsh/n0vuvrOnyUYYTzsuQHUQPPa+jjVGDJRYceR/PqLgemRaWRLwdJjWgKitIdHzPNMyqcUz+Qw1+CdCjq27za1u0H4RrWmVmEAyxWvCnWz6kT1YoaK5aWwaul1sH6SQ6rCT3/yw/4W5eOf2Y4NX+XiLIRSS5LAfL2Dr8Jmn1RWtL0njXf56fKQePJGk/xBbKGubQOnGsUFnTK6RBUEQY2Nj6hN4X4VZO60ySMx7E6s0rvZ3hjz/EukKiMZGYoRxJQzEU1zQ9fhrOpmcc8uecKb+8LbBqVX1FzzusaIlkuidJZ7RYxz9
X-Microsoft-Exchange-Diagnostics:
1;SN6PR07MB4365;4:XXK2U0utE4eihRl+6nfj89bKk5H2f1YnDAjj3AUzPonFPt8mkc6XVoZ6Z7Fv4Sz1GVzFKpbHCT5FKfXQKOg2ha9l9dffidn5fMBkpPK2I2d+e04Y5/2JRxRG/CYs7MInk8UGGBK9V9PJmC1mjKrsJyQpHQcfFuCVlaN9Be2tr3dIIidoELjZB3TwozoPbWpZIuBFtOYTFr4LEHCsbNa9MPxoZeygblSCapzPHZECCujlODsPk+QV47+JzbXnvlxss7SH/qRNZIxn2iRPSVo7rG0KAxmdZaoo/CpXgr/0HrM=;23:o5/vXLQyVr0AyciuC8JiIy96umJ2gni5j1NBUpfLuoanzS7081pYRNiMrFx16AAaYpy6vYe+kY8nUiIpuRu01Up9ahI7n5naqHquo4k5jBG6vazdwTnAPObJDXO7vpe9mGGociIl5Tur8HCpSwPh4g==;6:OCj8uVnrLCZTtQy2N/vPaxa2Ve6FG9rGyMsoVhdTRQ//6S2Qhw/dko34MUDJ2pfwDf9TaO9zVpwI5LJTA6iZFMQo0JwK9cefTH+C85u9E+RD4/rKH/5pXOFdH/qWyyT5g0N0dOT1y3/xJ2Jz5gO0zc9KJ8MkG8+z0eeLQYCk3RXtQqWhsl9o8a300mYBP3YHm9vxuk2cDsN+c6gf4r0goM+jHUv5KaJlnedTwI9T9mKxfoDPdSzFEmc71nUwb6+s8ft9m2WTxIOBBQXKKFVAOIqqb90KRdcuFJGztySzISTfA0//UwS7Xbo9VxFhtZ3gh6oAbByD1s0UtWSEBle3LGyzwIsTg94CqReu5mZ29+jzi0l8XBGM3GlWl4CRIfKsuTy5HIE6hEmfOYdkCP5ytC5Xaxe5gGSU46BERIkPZCE5koV5Y75pi1Pxf8fnXUKoBwkrzp/60qO4QtvRsEA87A==
X-MS-Exchange-Organization-SCL: -1
X-Microsoft-Exchange-Diagnostics:
1;SN6PR07MB4365;5:0/6sqEzZAyxxLh6t6KDX8CBBunjNuxcp/IRzPFgeVOHkgsM7qlJg28dGeCQL0jK/NvLgrCHop9lydRUzyBzzG9MG7pTxxetkrqLWHBXyfIIiGuE8TPq9VN0XsiyxgbHt8wF2NJMrZD7yJwwg7sbBch8tw3XDqUgSFFOR6NTujcJRLR+3mMYWmqbUPimdAJsw9RFnNFPikcpWD/dPG9ToJA==;7:IRLonrA/Dbx7XhS47Z09qQEN9fWRD3J5W8WLC00M0W1/JyjoEs+jogJtJwvEJchuC9lDoMsIAc8YGy6kuomzFcprGhvW+MqRCk6j7o6pJgLk+Al3byxMV7I+3qH434wLQP69yh4cQjh6j3LggkSt7g==
SpamDiagnosticOutput: 1:24
SpamDiagnosticMetadata: Default
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Jan 2019 22:27:37.4386
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: a18157f4-a1d7-4661-fe7c-08d67d9426c2
X-MS-Exchange-CrossTenant-Id: 102ad7f5-fd33-4fd4-b34f-eedc37df348f
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR07MB4365
X-MS-Exchange-Transport-EndToEndLatency: 00:00:03.0870920
X-MS-Exchange-Processed-By-BccFoldering: 15.20.1537.000
X-Microsoft-Exchange-Diagnostics:
1;BN7PR07MB4353;9:vPW6TAGyoKmb/FJQBPVY2+xOp+Ptc66QuJdyG5sYNFpZ6ejy/Blsr0s3/MC6VUeW9mWM+hahisDL1cMRMz5INpJy7IVLoBGAnARurykW3Ob/DFWzzUTzOje0ghf5a+sQeffG24rH/SCxwsfP3yjeo/aXvuQHRi7JEx3wC3SPzaw=
X-Microsoft-Antispam-Mailbox-Delivery:
ucf:1;jmr:0;ex:0;auth:0;dest:I;OFR:CustomRules;ENG:(750119)(520011016);
X-Microsoft-Antispam-Message-Info:
=?us-ascii?Q?kEeHv/iVZpomnhw0iCk5nqiMosnyimPbjrt5QRXze+EhYq6YxG1NH5j5ejJe?=
=?us-ascii?Q?fxhlIOlt3D6Wcwr7p0E5106e+VwVjNsJJn0Y+EsyqgTjdvajP68jiUZ3cDRh?=
=?us-ascii?Q?QhLEHuzRruvqsfK3LIV/jyjXsncqW0zhRsLX0tJgFOQkzppIwsM2y0oXbb6i?=
=?us-ascii?Q?uOAoGuhk+S1CPagXWtChh4aa4v47BPzaunz+GDVtnlrvjP+LWYoEmGf7T2bP?=
=?us-ascii?Q?jyQNbSriIVaWyCsTHmlBdB/34QvXBIoaHMOBm0nlaliff5K/HiuTODZ3T/OD?=
=?us-ascii?Q?4fIcqvMJj3Uf5E+TlrzQ4dQR8+DmepMYqD4iXdUM5riod49/AuSfvklIwyJC?=
=?us-ascii?Q?VfqzntPY0JRWSbSEGq400wpYlsuXv1L7el2IUGRewbO1q+dtq5JkhIjwUp99?=
=?us-ascii?Q?w3C6QS9PjuT5MxJAJYMxJ3FbOpiSFAr7bK5q8IMVCoH8yiQ2/CKXHnIGt2De?=
=?us-ascii?Q?Ks+eyA+uW8dMswNN8JwnnzQB3lCRDkFQu0XTpeLWaS/ychL6RBi01fZeSDCX?=
=?us-ascii?Q?saggQUxOVB8Os7c/HYF16N1CWblg3gfPYFzHi1nKgp1we4lgq84yZ9UNpnY1?=
=?us-ascii?Q?ju2Cag0WkXdIRgsC4NYN5pkw8CgN/WekHx3YIqH2ufT60d1gkruI2F43Q7Ev?=
=?us-ascii?Q?mDsKygT6F/LdTsD5rNfDMe1X9niZ2vIHbQ1M3DoU1XWaw3xPA/dnlNKM45rL?=
=?us-ascii?Q?bfoJmXZchUKgeKeUYGo70naHuOVqTZKLgc5jPOULnKzeWY1aud9EXyN8wsH3?=
=?us-ascii?Q?v9yHtAXiKz8r/Of3EOSiJxAgtC1uW0YoUsYLOedwj/j5OZanq/g4nf+idkSO?=
=?us-ascii?Q?wIXS9fuxKlsmLmCyFqD1rMIxvWpXVdFp9X7WdUuAwtG6zvvartw+vowxoUJk?=
=?us-ascii?Q?GccnsNESr9YLzzWfVONq30XbQjVj/BvXr4pmhCNQsEfsLkdFUKj1pDRowcfD?=
=?us-ascii?Q?cCBLkbQJ7Nmn0MAxNR5UnEXvXsTJn+So00J7wfrlOmerdJK+dZkavdBL/LWh?=
=?us-ascii?Q?36PuR64ej5IUzKMFIe50cFQ6Fe1FpA95N1qzD01lvYaybbpeYqkJKn7TxDhf?=
=?us-ascii?Q?RFoveqSvyXxOSJ7/ZTpcQqB8UWHPczJybbAtyfi/OFRlG9KzS9uqDYY5Kvmu?=
=?us-ascii?Q?HgZJJHNj97+I4mQWL3U2BwRnOhi+jcDXVWVi7QQrjjDx1us0HgVtwQYyfaN4?=
=?us-ascii?Q?3J61V3g+oUBOWnAwERRzmFA47hoCCdl0YZig2J/2yJu8PgssKHKbyrZv3t3W?=
=?us-ascii?Q?/lAum8CThg1iz55MDMe3wygELJAQN/O7HHf9osnD30fWIkP4JpKVNOci4JPE?=
=?us-ascii?Q?WoI=3D?=
X-Microsoft-Exchange-Diagnostics:
1;BN7PR07MB4353;27:pzBSGxd+Q+Wcz1YLQB6EoAIiu5QhoXf0Rcxz40L9UNH92GqZtxLPvSNuMCJaewB5FNLmfvFopndOHEF9HDMi6JclbtceGCWiN/dh1i4WImIQRBX1zbxRhujhF/9wNzylC8tTdHesMrjnKBW2h4D84sBzncuoQIcERuxHqIh42I+sbPGnVDP7ylOhgCA97bG+n5pnKtQkCnAHq4z6MQfsXD0/z6Z88RQOZ2ex09tBec9IA/OKispaVBVaLezIuaY1LLS+wGzp1PyvHcrFDisdR+ZVgSjSJcmQIWKGAm6WqsJ7FYFaxvEa5X204XR/Kw5jEDjp6AZ01t4UeZR6M/NcPCrowriZf6VcTAcsOgtYKphr/kYVNlpwASWRDOA+Skv1
X-Microsoft-Antispam:
BCL:6;PCL:0;RULEID:(2390118)(7020095)(4652040)(5600109)(711020)(4605076)(4710035)(4613076)(4712035)(1401299)(1421009)(1403068)(71702078);SRVR:SN6PR07MB4365;
X-MS-Exchange-Organization-SCL: -1
- VasilMichevJan 24, 2019MVP
The SCL score of this message is -1, meaning that the anti-spam action was bypassed due to "trusted sender" or similar exception, as suspected. In particular, the SFV:SKA value indicates, that you have allow list as detailed here: https://docs.microsoft.com/en-us/office365/securitycompliance/anti-spam-message-headers
SFV:SKA The message skipped filtering and was delivered to the inbox because it matched an allow list in the spam filter policy, such as the Sender allow list. There's nothing wrong on Microsoft side, it's admin/user configuration that is allowing this message to pass through the antispam filter. Check your policy settings, transport rules and the mailbox settings.
- acstech1Jan 24, 2019Copper Contributor
I don't have any of those things enabled related to the original servers where the message originated.
carolina.valencia@productos.com.co does not appear in the user's safe sender list
We have no tunnels on our end related to mail.comsisnet.com (212.124.108.234)
My guess is that Microsoft is seeing that spoofed address as the sender and letting everything through since the spoofed address is in my org.