Mark Alley via mailop skrev den 2023-06-06 02:17:
Last time it was reported to Microsoft, IIRC the individual got the
response, "it's working as expected" as to the vulnerability that
allows aligned SPF mail to be forwarded without SRS from any tenant.
Realistically, DMARC and BIMI are working as expected in this
scenario. Email was (re)sent from an (at the time) authorized IP
address and an aligned RFC5321.mailfrom header for ups.com. The fault
lies partly with UPS for keeping the include for Exchange Online in
their Hosted SPF macro (unnecessary because they don't send directly
from O365), and partly with Microsoft for allowing and enabling this
forwarding vulnerability to exist.
if recipients starts make results from spf untrusted if more then 256
uniq ipv4 is valid sender ips, then host have to listen and reduce
includes: in spf, over accepted ipv4 spf listed ips is basicly same as
v=spf1 +all
we all loose with this, but in spf its perfektly valid aswell
sorry for not counting ipv6 in that calculate
O365 customers can mitigate this by ensuring they sign DKIM and remove
the O365 include where feasible (only possible if O365 is not a
domain's last hop), or by signing DKIM and making the O365 include a
SPF neutral disposition.
this is more or less not needed if dmarc is strict, or if sender wants
aligned emails, and reject the rest, also adsp is usefull
The former is the easiest and least impactful, assuming one meets that
criteria; The latter - it's a dirty fix - but current reality is
anyone that uses O365 relying on their SPF include will be vulnerable
to this until Microsoft fixes the root cause.
maillist next genration is more or less just imap shared access where no
mail is sent at all, or ?, usenet still works :=)
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
