Analyzing message header

%3CLINGO-SUB%20id%3D%22lingo-sub-18924%22%20slang%3D%22en-US%22%3EAnalyzing%20message%20header%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-18924%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20in%20hybrid%20deployment%20and%20all%20mailboxes%20are%20in%20Exchange%20online.%20Our%20mx%20record%20is%20pointing%20to%20our%203rd%20part%20spam%20filter%2C%20then%20sent%20to%20our%20on%20premise%20server%20which%20again%20sends%20to%20Exchange%20online.%20In%20short%20it%20looks%20like%20this%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESender%20-%203rd%20part%20spam%20filter%20-%20Exchange%20on-premise%20-%20Exchange%20online.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20analyze%20message%20header%20I%20see%20the%20following%20in%20Authentication-Results%20(1st%20line%20of%20the%20header)%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Espf%3Dnone%20(sender%20IP%20is%20212.212.212.212)%20smtp.mailfrom%3Ddomain.ninja%3B%20domain.mail.onmicrosoft.com%3B%20dkim%3Dnone%20(message%20not%20signed)%20header.d%3Dnone%3Bdomain.mail.onmicrosoft.com%3B%20dmarc%3Dnone%20action%3Dnone%20header.from%3Ddomain.ninja%3Bdomain.com%3B%20dkim%3Dnone%20(message%20not%20signed)%20header.d%3Dnone%3B%3C%2FP%3E%3CP%3ESender%20IP%20(212.212.212.212)%26nbsp%3Bis%20our%20On%20premise%20exchange%20server%20external%20address.%3C%2FP%3E%3CP%3Esmtp.mailfrom%3Ddomain.ninja%20is%20the%20domain%20that%20sent%20the%20message%3C%2FP%3E%3CP%3Edomain.mail.onmicrosoft.com%20is%20our%20exchange%20online%20domain.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20this%20by%20design%20that%20our%20On-premise%20exchange%20server%20will%20be%20seen%20as%20sender%3F%3C%2FP%3E%3CP%3EIf%20so%2C%20then%20it%20means%20if%20someone%20is%20spoofing%20our%20domain%20it%20will%20be%20bypassed%20since%20sender%20ip%20is%20in%20our%20SPF%20record%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20getting%20more%20than%20enough%20spoofing%20emails%20that%20are%20directed%20to%20our%20CEO%20and%20FInance%20director%20and%20adding%20SPF%20record%20doesn't%20seem%20to%20help.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20know%20DKIM%20and%20DMARC%20should%20help%20better%20against%20spoofing%2C%20but%20currently%20we%20cannot%20implement%20them%2C%20since%20our%20MX%20record%20does%20not%20point%20to%20EOP.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETHanks!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-18924%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-19417%22%20slang%3D%22en-US%22%3ERe%3A%20Analyzing%20message%20header%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-19417%22%20slang%3D%22en-US%22%3E%3CP%3ETHanks%20Vistor%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ebut%20i%20have%20done%20multiple%20test%20and%20even%20from%20my%20on-premise%20server%20at%20home.%20X-Origin-IP%20is%20IP%20of%20mail%20server%20and%20X-Originating%20IP%20is%20end%20user%20IP.%3C%2FP%3E%3CP%3ENot%20every%20mail%20server%20has%20these%20stamps.%20G-mail%20will%20stamp%20with%20their%20IPV6%20in%20X-origin-IP.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-19408%22%20slang%3D%22en-US%22%3ERe%3A%20Analyzing%20message%20header%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-19408%22%20slang%3D%22en-US%22%3E%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011pt%3B%22%3EX-Origin-IP%20is%20a%20custom%20header%20probably%20stamped%20by%20your%203rd%20party%20spam%20filtering%20solution.%20If%20you%20have%20it%2C%20then%20you%20can%20use%20it%20to%20create%20a%20transport%20rule%20in%20EXO%20to%20block%20emails%20where%20your%20domain%20is%20spoofed.%20Something%20like%3A%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011pt%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%20id%3D%22ResultPanePlaceHolder_detailPaneContent_divCondition%22%20style%3D%22color%3A%20rgb(102%2C%20102%2C%20102)%3B%20text-transform%3A%20none%3B%20text-indent%3A%200px%3B%20letter-spacing%3A%20normal%3B%20padding-bottom%3A%2023px%3B%20font-family%3A%20%26quot%3BSegoe%20UI%20WPC%20Regular%26quot%3B%2C%20%26quot%3BSegoe%20UI%26quot%3B%2C%20Tahoma%2C%20%26quot%3BMicrosoft%20Sans%20Serif%26quot%3B%2C%20Verdana%2C%20sans-serif%3B%20font-size%3A%2012px%3B%20font-style%3A%20normal%3B%20font-weight%3A%20normal%3B%20word-spacing%3A%200px%3B%20white-space%3A%20pre%3B%20orphans%3A%202%3B%20widows%3A%202%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20-webkit-text-stroke-width%3A%200px%3B%22%3E%3CSPAN%20class%3D%22RuleDetailsPanel_SectionHeader%22%20style%3D%22color%3A%20rgb(51%2C%2051%2C%2051)%3B%20padding-bottom%3A%207px%3B%20font-family%3A%20%26quot%3BSegoe%20UI%20WPC%20Light%26quot%3B%2C%20%26quot%3BSegoe%20UI%20Light%26quot%3B%2C%20Tahoma%2C%20%26quot%3BMicrosoft%20Sans%20Serif%26quot%3B%2C%20Verdana%2C%20sans-serif%3B%20font-size%3A%2015px%3B%20white-space%3A%20pre-wrap%3B%22%3EIf%20the%20message...%3C%2FSPAN%3E%3CDIV%20class%3D%22RuleDetailsPanel_Description%22%20id%3D%22ResultPanePlaceHolder_detailPaneContent_divCondition_description%22%20style%3D%22padding-top%3A%207px%3B%20white-space%3A%20pre-wrap%3B%22%3Esender's%20address%20domain%20portion%20belongs%20to%20any%20of%20these%20domains%3A%20'your_domain.com'%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3CDIV%20id%3D%22ResultPanePlaceHolder_detailPaneContent_divAction%22%20style%3D%22color%3A%20rgb(102%2C%20102%2C%20102)%3B%20text-transform%3A%20none%3B%20text-indent%3A%200px%3B%20letter-spacing%3A%20normal%3B%20padding-bottom%3A%2023px%3B%20font-family%3A%20%26quot%3BSegoe%20UI%20WPC%20Regular%26quot%3B%2C%20%26quot%3BSegoe%20UI%26quot%3B%2C%20Tahoma%2C%20%26quot%3BMicrosoft%20Sans%20Serif%26quot%3B%2C%20Verdana%2C%20sans-serif%3B%20font-size%3A%2012px%3B%20font-style%3A%20normal%3B%20font-weight%3A%20normal%3B%20word-spacing%3A%200px%3B%20white-space%3A%20pre%3B%20orphans%3A%202%3B%20widows%3A%202%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20-webkit-text-stroke-width%3A%200px%3B%22%3E%3CSPAN%20class%3D%22RuleDetailsPanel_SectionHeader%22%20style%3D%22color%3A%20rgb(51%2C%2051%2C%2051)%3B%20padding-bottom%3A%207px%3B%20font-family%3A%20%26quot%3BSegoe%20UI%20WPC%20Light%26quot%3B%2C%20%26quot%3BSegoe%20UI%20Light%26quot%3B%2C%20Tahoma%2C%20%26quot%3BMicrosoft%20Sans%20Serif%26quot%3B%2C%20Verdana%2C%20sans-serif%3B%20font-size%3A%2015px%3B%20white-space%3A%20pre-wrap%3B%22%3EDo%20the%20following...%3C%2FSPAN%3E%3CDIV%20class%3D%22RuleDetailsPanel_Description%22%20id%3D%22ResultPanePlaceHolder_detailPaneContent_divAction_description%22%20style%3D%22padding-top%3A%207px%3B%20white-space%3A%20pre-wrap%3B%22%3ESet%20the%20spam%20confidence%20level%20(SCL)%20to%20'5'%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3CDIV%20id%3D%22ResultPanePlaceHolder_detailPaneContent_divException%22%20style%3D%22color%3A%20rgb(102%2C%20102%2C%20102)%3B%20text-transform%3A%20none%3B%20text-indent%3A%200px%3B%20letter-spacing%3A%20normal%3B%20padding-bottom%3A%2023px%3B%20font-family%3A%20%26quot%3BSegoe%20UI%20WPC%20Regular%26quot%3B%2C%20%26quot%3BSegoe%20UI%26quot%3B%2C%20Tahoma%2C%20%26quot%3BMicrosoft%20Sans%20Serif%26quot%3B%2C%20Verdana%2C%20sans-serif%3B%20font-size%3A%2012px%3B%20font-style%3A%20normal%3B%20font-weight%3A%20normal%3B%20word-spacing%3A%200px%3B%20white-space%3A%20pre%3B%20orphans%3A%202%3B%20widows%3A%202%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20-webkit-text-stroke-width%3A%200px%3B%22%3E%3CSPAN%20class%3D%22RuleDetailsPanel_SectionHeader%22%20style%3D%22color%3A%20rgb(51%2C%2051%2C%2051)%3B%20padding-bottom%3A%207px%3B%20font-family%3A%20%26quot%3BSegoe%20UI%20WPC%20Light%26quot%3B%2C%20%26quot%3BSegoe%20UI%20Light%26quot%3B%2C%20Tahoma%2C%20%26quot%3BMicrosoft%20Sans%20Serif%26quot%3B%2C%20Verdana%2C%20sans-serif%3B%20font-size%3A%2015px%3B%20white-space%3A%20pre-wrap%3B%22%3EExcept%20if...%3C%2FSPAN%3E%3CDIV%20class%3D%22RuleDetailsPanel_Description%22%20id%3D%22ResultPanePlaceHolder_detailPaneContent_divException_description%22%20style%3D%22padding-top%3A%207px%3B%20white-space%3A%20pre-wrap%3B%22%3E'X-Origin-IP'%20header%20contains%20''your%20IPs''%3C%2FDIV%3E%0A%3CDIV%20class%3D%22RuleDetailsPanel_Description%22%20style%3D%22padding-top%3A%207px%3B%20white-space%3A%20pre-wrap%3B%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20class%3D%22RuleDetailsPanel_Description%22%20style%3D%22padding-top%3A%207px%3B%20white-space%3A%20pre-wrap%3B%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20class%3D%22RuleDetailsPanel_Description%22%20style%3D%22padding-top%3A%207px%3B%20white-space%3A%20pre-wrap%3B%22%3ERegarding%20the%20message%20trace%2C%20you%20are%20right%2C%20there%20are%20some%20things%20that%20take%20longer%20to%20achieve%20in%20EXO%2C%20but%20on%20the%20other%20side%20it's%20so%20quick%20and%20easy%20to%20see%20what%20exactly%20happened%20to%20an%20email%20sent%20recently.%3C%2FDIV%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-19391%22%20slang%3D%22en-US%22%3ERe%3A%20Analyzing%20message%20header%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-19391%22%20slang%3D%22en-US%22%3E%3CP%3Ethink%20you%20are%20mixing%20between%20X-origin-IP%20and%20X-Orginating-IP.%20Last%20one%20is%20IP%20of%20end%20user.%3C%2FP%3E%3CP%3EMessagetrace%20in%20EXO%20is%20NOT%20better%20than%20On-premise.%20In%20EXO%20you%20can%20only%20trace%20message%201%20week%20back%20for%20real%20time%20view.%20If%20you%20need%20older%20than%207%20days%2C%20you%20have%20to%20wait%202-4%20hours%20before%20the%20results%20are%20sent%20to%20your%20inbox.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-19389%22%20slang%3D%22en-US%22%3ERe%3A%20Analyzing%20message%20header%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-19389%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20X-Originating-IP%20header%20doesn't%20contain%20the%20IP%20address%20of%20the%20original%20sending%20server%2C%20but%20the%20IP%20of%20the%20PC%20were%20Outlook%20or%20OWA%20was%20used%20to%20compose%20and%20send%20that%20email.%20EOP%20has%20no%20way%20of%20evaluating%20the%20IP%20of%20the%26nbsp%3Binitial%26nbsp%3Bsending%20server.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EExhange%20Online%20has%20much%20improved%20message%20tracking%20capabilities%20compared%20to%20Exchange%20on-premises.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-19378%22%20slang%3D%22en-US%22%3ERe%3A%20Analyzing%20message%20header%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-19378%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Victor%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ei%20still%20think%20its%20bad%20that%20EXO%2FEOP%20is%20failing%20on%20this%20SPF%20check%20on%20connecting%20IP%20and%20not%20also%20checking%20X-Origin-IP%20header%20(which%20should%20be%20IP%20of%20mail%20server%20sending%20out%20mail).%3C%2FP%3E%3CP%3EWhat%20if%20customer%20do%20not%20use%203rd%20party%20spam%20filter%20but%20still%20want%20mail%20to%20go%20through%20on-premise%20server(for%20benefits%20like%20better%20messagetrace)%20%3F%3C%2FP%3E%3CP%3EThat%20EOP%20blindly%20accepts%20all%20message%20arriving%20on-premise%20server%20is%20not%20of%20best%20security%20imo%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-18988%22%20slang%3D%22en-US%22%3ERe%3A%20Analyzing%20message%20header%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-18988%22%20slang%3D%22en-US%22%3EIt's%20by%20design%2C%20indeed%2C%20to%20have%20the%20IP%20of%20your%20on-premises%20server%20seen%20as%20the%20sender%20IP.%20EOP%20is%20looking%20at%20the%20connecting%20IP%20when%20evaluating%20SPF%20and%20the%20connecting%20IP%20in%20this%20case%20is%20the%20IP%20of%20your%20on-premises%20server.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20fact%20that%20enough%20emails%20where%20your%20domain%20is%20spoofed%20are%20reaching%20your%20users%20means%20that%20the%203rd%20party%20spam%20filter%20is%20not%20doing%20the%20best%20job%20or%20is%20not%20configured%20correctly.%20Those%20spoofed%20emails%20should%20be%20stopped%2Fmarked%20as%20spam%20there%2C%20at%20the%203rd%20party%20spam%20filter%20level.%20It's%20also%20important%20if%20your%20SPF%20record%20ends%20in%20~all%20(soft%20fail)%20or%20-all%20(hard%20fail).%20Many%20anti%20spam%20solutions%20won't%20mark%20as%20spam%20an%20email%20for%20which%20the%20SPF%20check%20soft%20failed.%3CBR%20%2F%3E%3CBR%20%2F%3EIn%20this%20configuration%2C%20Sender%20-%203rd%20part%20spam%20filter%20-%20Exchange%20on-premise%20-%20Exchange%20online%2C%20you%20are%20not%20using%20the%20full%20capabilities%20of%20Exchange%20Online%20Protection.%20Ideally%2C%20the%20MX%20record%20should%20point%20to%20EOP.%3C%2FLINGO-BODY%3E
Highlighted
Contributor

We are in hybrid deployment and all mailboxes are in Exchange online. Our mx record is pointing to our 3rd part spam filter, then sent to our on premise server which again sends to Exchange online. In short it looks like this:

 

Sender - 3rd part spam filter - Exchange on-premise - Exchange online.

 

 

When I analyze message header I see the following in Authentication-Results (1st line of the header):

 

spf=none (sender IP is 212.212.212.212) smtp.mailfrom=domain.ninja; domain.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;domain.mail.onmicrosoft.com; dmarc=none action=none header.from=domain.ninja;domain.com; dkim=none (message not signed) header.d=none;

Sender IP (212.212.212.212) is our On premise exchange server external address.

smtp.mailfrom=domain.ninja is the domain that sent the message

domain.mail.onmicrosoft.com is our exchange online domain.

 

Is this by design that our On-premise exchange server will be seen as sender?

If so, then it means if someone is spoofing our domain it will be bypassed since sender ip is in our SPF record?

 

We are getting more than enough spoofing emails that are directed to our CEO and FInance director and adding SPF record doesn't seem to help.

 

I know DKIM and DMARC should help better against spoofing, but currently we cannot implement them, since our MX record does not point to EOP.

 

THanks!

 

6 Replies
Highlighted
It's by design, indeed, to have the IP of your on-premises server seen as the sender IP. EOP is looking at the connecting IP when evaluating SPF and the connecting IP in this case is the IP of your on-premises server.

The fact that enough emails where your domain is spoofed are reaching your users means that the 3rd party spam filter is not doing the best job or is not configured correctly. Those spoofed emails should be stopped/marked as spam there, at the 3rd party spam filter level. It's also important if your SPF record ends in ~all (soft fail) or -all (hard fail). Many anti spam solutions won't mark as spam an email for which the SPF check soft failed.

In this configuration, Sender - 3rd part spam filter - Exchange on-premise - Exchange online, you are not using the full capabilities of Exchange Online Protection. Ideally, the MX record should point to EOP.
Highlighted

Thanks Victor,

 

i still think its bad that EXO/EOP is failing on this SPF check on connecting IP and not also checking X-Origin-IP header (which should be IP of mail server sending out mail).

What if customer do not use 3rd party spam filter but still want mail to go through on-premise server(for benefits like better messagetrace) ?

That EOP blindly accepts all message arriving on-premise server is not of best security imo :)

Highlighted

The X-Originating-IP header doesn't contain the IP address of the original sending server, but the IP of the PC were Outlook or OWA was used to compose and send that email. EOP has no way of evaluating the IP of the initial sending server.

 

Exhange Online has much improved message tracking capabilities compared to Exchange on-premises.

Highlighted

think you are mixing between X-origin-IP and X-Orginating-IP. Last one is IP of end user.

Messagetrace in EXO is NOT better than On-premise. In EXO you can only trace message 1 week back for real time view. If you need older than 7 days, you have to wait 2-4 hours before the results are sent to your inbox.

 

Highlighted

X-Origin-IP is a custom header probably stamped by your 3rd party spam filtering solution. If you have it, then you can use it to create a transport rule in EXO to block emails where your domain is spoofed. Something like:

 

If the message...
sender's address domain portion belongs to any of these domains: 'your_domain.com'
Do the following...
Set the spam confidence level (SCL) to '5'
Except if...
'X-Origin-IP' header contains ''your IPs''
 
 
Regarding the message trace, you are right, there are some things that take longer to achieve in EXO, but on the other side it's so quick and easy to see what exactly happened to an email sent recently.
Highlighted

THanks Vistor,

 

but i have done multiple test and even from my on-premise server at home. X-Origin-IP is IP of mail server and X-Originating IP is end user IP.

Not every mail server has these stamps. G-mail will stamp with their IPV6 in X-origin-IP.