On 2022-11-09 at 17:21:16 UTC-0500 (Wed, 09 Nov 2022 22:21:16 +0000)
MRob via mailop <mro...@insiberia.net>
is rumored to have said:
On 2022-11-09 13:37, Bill Cole via mailop wrote:
On 2022-11-09 at 06:47:55 UTC-0500 (Wed, 09 Nov 2022 11:47:55 +0000)
MRob via mailop <mro...@insiberia.net>
is rumored to have said:
On 2022-11-09 08:40, Slavko via mailop wrote:
Dňa 9. 11. o 0:34 MRob via mailop napísal(a):
... But if microsoft agree to DKIM-sign using envelope-from
(**signature including the FROM header**) shouldnt that mean it is
seeing the headers and can of course validate FROM header? For me
that show extra proof microsoft allowing free-form uncheked
spoofing
DKIM doesn't validates any of signed header(s). It only digitaly
signs
them to receiver can verify that they wasn't modified on transport
(from signer to receiver). Nothing more, nothing less.
Not questioning about DKIM. The point is microsoft has FROM header
in its hand so it *can* easily do validation to the user account to
disallow spoof.
Not so much.
If I send mail via an MS service and put in a (working) address in my
own domain in the From header. How is Microsoft supposed to
"validate"
that?
Easy, user register their addresses in their MS acct, MS only send
with FROM in allowed list
What they'd need to do in that case is to have alternative address
registration and confirmation at a per-user granularity. Users hate
that.
MS and you agree: users hate that so best decision is allow free-form
spoofing :(
I guess my tone was unclear. I do not condone MS's lack of oversight of
their customers' misbehavior, especially their not-really-customers
using 'onmicrosoft' addresses. I just don't believe that there is the
slightest chance of them changing it because it would add costs for both
operations (a foreign address registry and scanning of messages to
validate From headers) and for support (because: users hate it.) This is
not something MS will ever fix, at least not in any way that they can't
dress up as a positive feature and charge for. Because 'onmicrosoft'
addresses are for trial accounts (and apparently for non-mailable admin
accounts without Exchange mailboxes?) I would not expect MS to ever
block header spoofing for them. It would be a cost with no benefit for
MS.
Whether they *should* block it is not a useful conversation. They are
not going to.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
