0

We use Office 365 mail, I got this spam email this morning so I checked the header to see if there was anything I could do. Here is the header with our receipt domain removed

Received: from DB6PR01MB3829.eurprd01.prod.exchangelabs.com
 (2603:10a6:6:52::25) by PAXPR01MB9291.eurprd01.prod.exchangelabs.com with
 HTTPS; Tue, 10 May 2022 02:17:42 +0000
ARC-Seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
 b=EeGi0lrMprVF98QNcErMivV15SlCGfKOkWEjmPF6RvL4rtMscNmuzA0Do6xVi7W2VL14YtJE0cS2MQzJgsNnh2x2b3fkVMGb+L3mqCyhYvfpphI21XkeOLzjiuJaLexSA1TK6bChcboiF1sP+KI+G/gfGbzfWdzt3mhABec4s/98qZTQGjCe50IuXc0F46ILAEbIXjl1S1pmKLQnKi5j9BFhdwtITVWlIzY7ZiCFng+1mHKigKFDPTyeEiw7ttsm3oviZe1VLP+yy0lvUMPilZ6q7myeBYm9hAb53MWIrYNmX9aevyxV0TpC39uTOK3u9pYH2MZ7fZlm4xX5Ppo/8A==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=YadlNX9F1tdHPU6GBSCru6/kZ/UxDewIfN1iyiWDfYU=;
 b=MfogbEoTECE7pnnCdWfNTaPrbyhjph3ZMKGUlMoJEC9pu//dHDOMF07eiTsT3t5tba1ghfgbe2xZEZqg7azDGULAznA9eTzsjSnhnveCVt1thqLWnQLXh/T3/BOgpwQb8nCjVoq6p3KuBUXrObEWxqu07csivgli0UAiOS4UUVInWOX93PlMWL9APXrNRuOQzRBPrr84cg/XQhKWhxjMjtyoHH/VIvykTkEk/3mtuAdDjWseunvhqbD8K1b4pjrE4zycJNvTuo/+ZuV3YuFAfnEXcnQu/fmshdFMvWaEGAAK4Lex8O1P564OeW2XibLPAzqzy4aREtMWmAz2iKdmGQ==
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is
 52.100.172.225) smtp.rcpttodomain=************************
 smtp.mailfrom=columbiacentral.edu; dmarc=none action=none
 header.from=biglifejournal.com; dkim=pass (signature was verified)
 header.d=columbiacoedu.onmicrosoft.com; dkim=fail (signature did not verify)
 header.d=ksd1.klaviyomail.com; arc=pass (0 oda=0 ltdi=1)
Received: from AS9PR06CA0338.eurprd06.prod.outlook.com (2603:10a6:20b:466::32)
 by DB6PR01MB3829.eurprd01.prod.exchangelabs.com (2603:10a6:6:52::25) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5206.24; Tue, 10 May
 2022 02:17:40 +0000
Received: from VE1EUR01FT092.eop-EUR01.prod.protection.outlook.com
 (2603:10a6:20b:466:cafe::a6) by AS9PR06CA0338.outlook.office365.com
 (2603:10a6:20b:466::32) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5227.20 via Frontend
 Transport; Tue, 10 May 2022 02:17:39 +0000
Authentication-Results: spf=pass (sender IP is 52.100.172.225)
 smtp.mailfrom=columbiacentral.edu; dkim=pass (signature was verified)
 header.d=columbiacoedu.onmicrosoft.com;dmarc=none action=none
 header.from=biglifejournal.com;compauth=softpass reason=202
Received-SPF: Pass (protection.outlook.com: domain of columbiacentral.edu
 designates 52.100.172.225 as permitted sender)
 receiver=protection.outlook.com; client-ip=52.100.172.225;
 helo=NAM11-DM6-obe.outbound.protection.outlook.com;
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (52.100.172.225)
 by VE1EUR01FT092.mail.protection.outlook.com (10.152.3.140) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.5227.15 via Frontend Transport; Tue, 10 May 2022 02:17:39 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=Q5rpXKAdNS+0d9NAcPdgg6yieRqMW+KRK56NvHARZ4dvDoZFK3ySOALeF/i9hUzI42iCy0O8N39lvyCdQqVsh1ZRKOfp/yVtfpa+crSVPK2TK/DezxAE0TxWMewLdzGDhWUXugtGjgvNArKyHBS84F2rsOpDZRMfs1Yo8BJXZw3qT5bLFu1TkCU1sZvnzO7fNomw6exzWksgwRLCiQyigO26zDT99562VKyMLxSo0jW24mxN948jAg9vtGu5M95gunA+fRSJUu26E6pjhpS3ESkrcETmi074jwsIHPRts8NV9zZTNlnkigxKxqCGnbYgNiDqNRNK8eicLHn3nZht9w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=YadlNX9F1tdHPU6GBSCru6/kZ/UxDewIfN1iyiWDfYU=;
 b=j+q7sHypXOlRowsbB0TbvBhGeqo6NZcgUYskR6DrTJPVsaNOdxldABCpIYBtnRZpytb8NaleVgX84hn+wqy5as3e1845BoDH2jANfo5D6geIh3Vofc8VE7GykIOjyq93qgxLkfsdd20iU9gsgwMln8yZ0OUvSFR4tBeDXTcSOB0JT0pMq/iF+qiyva6TgwUA5XhHCwnpu0w1IkdHGlAAZpLkRAyiaqgf6dduuwqmz9Blu/wsgeAUSEE+djSXNoiFnWTaF03/lC7iANlqlQLELSw6d/lfNtozYKaZ9l4uHiYe+aoVk9LaowjlQkEWLw/ZAQ7XL6fUizHvmUpLcZYhog==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=temperror (sender ip
 is 2603:10c6:1:12::22) smtp.rcpttodomain=************************
 smtp.mailfrom=columbiacentral.edu; dmarc=none action=none
 header.from=biglifejournal.com; dkim=fail (signature did not verify)
 header.d=ksd1.klaviyomail.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=columbiacoedu.onmicrosoft.com; s=selector2-columbiacoedu-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=YadlNX9F1tdHPU6GBSCru6/kZ/UxDewIfN1iyiWDfYU=;
 b=bT0lBDUtXDKcbaYKPzBcpv5vTzkI2emJ1pBGfaTd3x6neulCygKlzvKyHKYGlQlefNOrPONvGwR4V1yGol3jN/x2z6VwPq5+eHxvM9Apc/7zrdfEfOlCnaiM2mYScqeP/1qcKlgPUjJZQ+vpA/Djhp3XL+zdzWCJNfbjMC46VMs=
Received: from MW2PR16CA0035.namprd16.prod.outlook.com (2603:10b6:907::48) by
 BY5PR02MB7044.namprd02.prod.outlook.com (2603:10b6:a03:232::18) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5227.20; Tue, 10 May
 2022 02:17:37 +0000
Received: from MW2NAM12FT006.eop-nam12.prod.protection.outlook.com
 (2603:10b6:907:0:cafe::9c) by MW2PR16CA0035.outlook.office365.com
 (2603:10b6:907::48) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5227.23 via Frontend
 Transport; Tue, 10 May 2022 02:17:36 +0000
X-MS-Exchange-Authentication-Results: spf=temperror (sender IP is
 2603:10c6:1:12::22) smtp.mailfrom=columbiacentral.edu; dkim=fail (signature
 did not verify) header.d=ksd1.klaviyomail.com;dmarc=none action=none
 header.from=biglifejournal.com;
Received-SPF: TempError (protection.outlook.com: error in processing during
 lookup of columbiacentral.edu: DNS Timeout)
Received: from bouttecontour.cloud (195.58.39.136) by
 MW2NAM12FT006.mail.protection.outlook.com (10.13.180.73) with Microsoft SMTP
 Server id 15.20.5250.8 via Frontend Transport; Tue, 10 May 2022 02:17:36
 +0000
Received: from SYAPR01MB2960.ausprd01.prod.outlook.com (2603:10c6:1:12::22) by
 ME1PR01MB1235.ausprd01.prod.outlook.com with HTTPS; Sun, 8 May 2022 04:00:40
 +0000
Received: from SYXPR01CA0100.ausprd01.prod.outlook.com (2603:10c6:0:2e::33) by
 SYAPR01MB2960.ausprd01.prod.outlook.com (2603:10c6:1:12::22) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.5227.18; Sun, 8 May 2022 04:00:37 +0000
Received: from SY4AUS01FT005.eop-AUS01.prod.protection.outlook.com
 (2603:10c6:0:2e:cafe::e6) by SYXPR01CA0100.outlook.office365.com
 (2603:10c6:0:2e::33) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5227.18 via Frontend
 Transport; Sun, 8 May 2022 04:00:37 +0000
Authentication-Results-Original: spf=pass (sender IP is 168.245.125.63)
 smtp.mailfrom=send.ksd1.klaviyomail.com; dkim=pass (signature was verified)
 header.d=ksd1.klaviyomail.com;dmarc=none action=none
 header.from=biglifejournal.com;compauth=pass reason=102
Received-SPF: Pass (protection.outlook.com: domain of
 send.ksd1.klaviyomail.com designates 168.245.125.63 as permitted sender)
 receiver=protection.outlook.com; client-ip=168.245.125.63;
 helo=o1401.shared.klaviyomail.com;
Received: from o1401.shared.klaviyomail.com (168.245.125.63) by
 SY4AUS01FT005.mail.protection.outlook.com (10.114.156.159) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.5227.15 via Frontend Transport; Sun, 8 May 2022 04:00:36 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ksd1.klaviyomail.com;
    h=content-type:from:mime-version:subject:reply-to:list-unsubscribe:to;
    s=m1; bh=ignkFy+p5H/cOKl305fEybl8jB7GJjbHDFUzuCHPfgY=;
    b=Sje97uAIGDZXT68b/atMmmyhc+HymmKzq6VYL9DqX8vLCaPc2D+5ZQ5oNx03m+QsjMqk
    ZgR+dA3mpPMpCDZKEA8KnkBqLfjcEy/yVW5UNh6QgUWDBl+Rw8Hf+zLSBWtAbJj+l4FaXL
    FsqsMZ45T6+SyssDqFLGm2aFlK7TFXoSY=
Received: by filterdrecv-587b769b88-2bpk5 with SMTP id filterdrecv-587b769b88-2bpk5-1-62774062-56
        2022-05-08 04:00:34.371597831 +0000 UTC m=+2700818.931010760
Received: from MTk3MDQ3Mzc (unknown)
    by geopod-ismtpd-1-5 (SG) with HTTP
    id Rs3WzlZyRbmab0T598cUNQ
    Sun, 08 May 2022 04:00:34.261 +0000 (UTC)

What stands out to me is the DKIM fail:

 52.100.172.225) smtp.rcpttodomain=************************
 smtp.mailfrom=columbiacentral.edu; dmarc=none action=none
 header.from=biglifejournal.com; dkim=pass (signature was verified)
 header.d=columbiacoedu.onmicrosoft.com; dkim=fail (signature did not verify)
 header.d=ksd1.klaviyomail.com; arc=pass (0 oda=0 ltdi=1)

What 365 policy should I tweak to tighten picking up on these DKIM failures?

EDIT: I threw this through a header analyzer and there are TWO DKIM failures in there:

dkim:ksd1.klaviyomail.com:m1  

Dkim Public Record:
k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6L9gyFVAyoilbWhRbDZp+S8sFyNK4ACBgovgHxfbrutEet95U/CaL0mUnhv4VmkbIK7vUM2lsZl5rqLMQf5FGapvT3lWYQOgWBtl2USeDDr5Y+LzaHA1XZ+5NVf+l6sAFRaKeabsIKidXfxkdDALgIOIdmF3WV+VI4TvMRo90hQIDAQAB

Dkim Signature (this is a failure):
v=1; a=rsa-sha256; c=relaxed/relaxed; d=ksd1.klaviyomail.com;
 h=content-type:from:mime-version:subject:reply-to:list-unsubscribe:to;
 s=m1; bh=ignkFy+p5H/cOKl305fEybl8jB7GJjbHDFUzuCHPfgY=;
 b=Sje97uAIGDZXT68b/atMmmyhc+HymmKzq6VYL9DqX8vLCaPc2D+5ZQ5oNx03m+QsjMqk
 ZgR+dA3mpPMpCDZKEA8KnkBqLfjcEy/yVW5UNh6QgUWDBl+Rw8Hf+zLSBWtAbJj+l4FaXL
 FsqsMZ45T6+SyssDqFLGm2aFlK7TFXoSY=

and

dkim:columbiacoedu.onmicrosoft.com:selector2-columbiacoedu-onmicrosoft-com  

Dkim Public Record:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOvOdOm9Ug9778qHNSHRfls8jR3NWGijSKHOo/T2z4WdACJHA3IDPMVB2q4cWnHt+KwAnWiRYWeSeBWkzqWBIiWgdn8kMh08+iMy86hfqKb7mzbWgXigdEdtzzD9RGy09FRKsy5sIPJMMavbPhzvJaS/KNmWEMEb09JXkMyNCnRQIDAQAB;

Dkim Signature (This too is a failure):
v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=columbiacoedu.onmicrosoft.com; s=selector2-columbiacoedu-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=YadlNX9F1tdHPU6GBSCru6/kZ/UxDewIfN1iyiWDfYU=;
 b=bT0lBDUtXDKcbaYKPzBcpv5vTzkI2emJ1pBGfaTd3x6neulCygKlzvKyHKYGlQlefNOrPONvGwR4V1yGol3jN/x2z6VwPq5+eHxvM9Apc/7zrdfEfOlCnaiM2mYScqeP/1qcKlgPUjJZQ+vpA/Djhp3XL+zdzWCJNfbjMC46VMs=
AngryCarrotTop
  • 288
  • 4
  • 11

2 Answers2

0

It looks like you may have some spoofed received headers:

Received: from bouttecontour.cloud (195.58.39.136) looks like genuine injection to O365 at Tue, 10 May 2022 02:17:36 +0000

But the Received headers below that have a time disconnect and seem to show internal O365 processing BEFORE the injection.

Received: from SYAPR01MB2960.ausprd01.prod.outlook.com (2603:10c6:1:12::22) by ME1PR01MB1235.ausprd01.prod.outlook.com with HTTPS; Sun, 8 May 2022 04:00:40 +0000

Received: from SYXPR01CA0100.ausprd01.prod.outlook.com (2603:10c6:0:2e::33) by SYAPR01MB2960.ausprd01.prod.outlook.com (2603:10c6:1:12::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5227.18; Sun, 8 May 2022 04:00:37 +0000

Received: from SY4AUS01FT005.eop-AUS01.prod.protection.outlook.com (2603:10c6:0:2e:cafe::e6) by SYXPR01CA0100.outlook.office365.com (2603:10c6:0:2e::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5227.18 via Frontend Transport; Sun, 8 May 2022 04:00:37 +0000

Compare those to the headers from an example we're also investigating:

Received: from breckcraigint.pro (195.58.39.137) by DM6NAM12FT048.mail.protection.outlook.com (10.13.178.173) with Microsoft SMTP Server id 15.20.5250.8 via Frontend Transport; Mon, 9 May 2022 02:00:01 +0000

Again the header lines below this appear to show O365 processing - which match exactly with your example.

Received: from SYAPR01MB2960.ausprd01.prod.outlook.com (2603:10c6:1:12::22) by ME1PR01MB1235.ausprd01.prod.outlook.com with HTTPS; Sun, 8 May 2022 04:00:40 +0000

Received: from SYXPR01CA0100.ausprd01.prod.outlook.com (2603:10c6:0:2e::33) by SYAPR01MB2960.ausprd01.prod.outlook.com (2603:10c6:1:12::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5227.18; Sun, 8 May 2022 04:00:37 +0000

Received: from SY4AUS01FT005.eop-AUS01.prod.protection.outlook.com (2603:10c6:0:2e:cafe::e6) by SYXPR01CA0100.outlook.office365.com (2603:10c6:0:2e::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5227.18 via Frontend Transport; Sun, 8 May 2022 04:00:37 +0000

Gill Weeks
  • 1
  • I could see that it was spoofed, my question was why office 365 wasnt blocking or treating the email as spam. After digging I found my answer in some MS documentation. Office 365 does not treat dkim failures as an issue by default (it seems), a further rule needed adding. It seems that when I migrated from exchange to office 365 I tidied a lot of my old rules up, the "old" DKIM rule from the exchange onsite days must have been removed by me at some point. – AngryCarrotTop Jun 13 '22 at 08:17
0

OK, so after more digging I -EDIT: after comments, POSSSIBLY- have my own answer. I did not have an Exchange Online rule for Authentication-Results that set SCL for dkim=fail

For others looking:

  • Go to Exchange Online Admin
  • Mail Flow -> Rules
  • Add new rule and choose more options (or you wont see the header options)
  • Add a test for header "Authentication-Results" with contains "dkim=fail"
  • Action as set SCL to 6

I added a second rule that did the same as the above but with header "X-MS-Exchange-Authentication-Results"

Reference https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/support-for-validation-of-dkim-signed-messages?view=o365-worldwide

Admins can create Exchange mail flow rules (also known as transport rules) on the results of DKIM validation. These mail flow rules will allow admins to filter or route messages as needed.

AngryCarrotTop
  • 288
  • 4
  • 11
  • 1
    Blocking on DKIM fail is not really DMARC standard. Some originating servers for your mail domain may depend on SPF settings instead of DKIM to deliver mail. So, a little caution, this may block more then you actually want. – Gerrit May 11 '22 at 09:22
  • do you have ideas on an alternative solution? Ive not accepted this as an answer yet. I only looked at filtering dkim=fail based on the Microsoft Article linked. – AngryCarrotTop May 12 '22 at 10:02
  • If I think about it, it wouldn't hurt to filter on dkim=fail in Authentication-Results as it would not require a dkim signature in order for any mail to come in. But most spammers actually use valid DKIM signatures. In this case it looks like a twice forwarded message with some strange header manipulation going on in one of the forwarders. – Gerrit May 13 '22 at 09:45
  • I ran with this solution in the end and will accept my own answer based on the MS article recommending it but also that I cannot see a "down side". Any DKIM fail should be a red flag, afterall, if DKIM isnt presented at all this isnt a fail, only a verification failure shoud result in an =fail. I am not checking for neutral. https://help.returnpath.com/hc/en-us/articles/222481148-DKIM-signing-and-verification-overview#:~:text=DKIM%20verification%20results&text=Pass%3A%20The%20email%20message%20has,error%20causing%20a%20verification%20failure. – AngryCarrotTop Jun 13 '22 at 08:15