Re: [mailop] How to ensure ownership from a Microsoft email?
On 6/5/2024 1:48 PM, Grant Taylor via mailop wrote: I'll argue that SMTP is still simple. Rather the language (protocol) that is spoken and the grammar (rules) of how to speak SMTP are simple. The language (protocol) is entirely separate from what is said using said language (protocol). * Email used to be simple. In those days. SMTP was only slightly more complicated than the simplest possible protocol. (We'd lived with the simpler capability, with the FTP MAIL command, but the community wanted something a bit more 'efficient'.) * Email isn't simple anymore, mostly because of spam and other abuse. And great capabilities like multi-media. * The assertion of continued simplicity for SMTP is because it's core is unchanged, after 40 years. (And for email content, other than the right-hand side of the address, it's 50 years.) The lesson of protocols like SMTP is to /start/ simple and permit enhancement that mostly requires no change to the simple core. Do something useful and extensible, rather than trying to do 'everything' all at once. )*_ As protocol architecture design lessons go, that's quite a simple point. Also one that is quite difficult to learn, if one looks carefully at some of the protocols developed more recently. d/ (*) Every 5-10 years, someone claims that SMTP or the email content format need to be replaced because they are old. My response is that every time there has been community demand for a change, it's been added to the existing service. No doubt, at some point, that won't be possible. But don't demand replacement until /after/ the enhancement effort has failed. It's happen. It just hasn't, yet. -- Dave Crocker Brandenburg InternetWorking bbiw.net mast:@dcrocker@mastodon.social ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] How to ensure ownership from a Microsoft email?
On 6/5/24 11:49 AM, Graeme Fowler via mailop wrote: As we all know, SMTP ain’t actually simple at all. Sigh. I'll argue that SMTP is still simple. Rather the language (protocol) that is spoken and the grammar (rules) of how to speak SMTP are simple. The language (protocol) is entirely separate from what is said using said language (protocol). The complexity is deciding if I like what someone else said to me. Most of the time I don't like what was said and I prefer to tell them such. -- Grant. . . . unix || die ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] How to ensure ownership from a Microsoft email?
> PS I’m definitely on the hate side today, having discovered that to actually > _use_ MS’s implementation of DKIM, I may well have to shell out a 6 figure > GBP sum. If anyone can demonstrate to me that outbound DKIM signing in > Exchange Online Protection is possible, and working, without any additional > Defender for M365 licenses then the beers are on me. So far all my research > points to it being a paid-for feature! https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dkim-configure?view=o365-worldwide ? Best, -- Atro Tossavainen, Founder, Partner Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635) Tallinn, Estonia tel. +372-5883-4269, https://www.koliloks.eu/ ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] How to ensure ownership from a Microsoft email?
Am 05.06.2024 um 18:49 schrieb Graeme Fowler via mailop: PS I’m definitely on the hate side today, having discovered that to actually _use_ MS’s implementation of DKIM, I may well have to shell out a 6 figure GBP sum. If anyone can demonstrate to me that outbound DKIM signing in Exchange Online Protection is possible, and working, without any additional Defender for M365 licenses then the beers are on me. So far all my research points to it being a paid-for feature! I've set up outbound DKIM signing on multiple SMB tenants at an MSP and have heard nothing of needing an extra license. You just go to https://security.microsoft.com/dkimv2, create the DKIM keys, and activate them when you have added the CNAMEs. Since recently, the Admin Panel actually tells you to do this when adding a new domain and selecting Exchange Online. FWIW, all those tenants have used Business licenses, but I have heard/seen nothing to indicate that this would be different for Enterprise licenses. -- Mit freundlichen Grüßen Alexander Robohm ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] How to ensure ownership from a Microsoft email?
On 5 Jun 2024, at 13:56, Cyril - ImprovMX via mailop wrote: > @Graeme, I'd join @John on this; if Microsoft can validate a domain DNS, they > should make it mandatory to sign using the domain name and not some > unverifiable *.onmicrosoft.com. > Nowadays even more when you want to have domain alignment with DMARC. Microsoft 365’s Exchange Online component - with which I have a sometimes-hate/sometimes-marginally-less-hate relationship through work - is an immensely flexible, configurable beast with a zillion different options. The primary issue for me isn’t the spam side of it, it’s the fact that any vaguely IT literate person can create a tenancy and then try to set it up following a zillion different “best” practice guides on the web. There’s only a single instance where adding a custom domain, doing the DNS validation, and then being forced automatically into using DKIM on that domain would work, and that’s where every single moving part of the email domain is within the tenancy. If any part of it is an externality such as an external filtering system, or an archiving system, or some form of governance system then it all falls apart very quickly. As we all know, SMTP ain’t actually simple at all. Sigh. Graeme PS I’m definitely on the hate side today, having discovered that to actually _use_ MS’s implementation of DKIM, I may well have to shell out a 6 figure GBP sum. If anyone can demonstrate to me that outbound DKIM signing in Exchange Online Protection is possible, and working, without any additional Defender for M365 licenses then the beers are on me. So far all my research points to it being a paid-for feature! ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] How to ensure ownership from a Microsoft email?
Thank you all for your input.
@Graeme, I'd join @John on this; if Microsoft can validate a domain DNS, they
should make it mandatory to sign using the domain name and not some
unverifiable *.onmicrosoft.com.
Nowadays even more when you want to have domain alignment with DMARC.
@Olivier, your input is interesting. I agree that an account can be
compromised, but I'm more worried about ways to send an email on behalf of a
domain without compromising the account, which isn't great.
Cyril - ImprovMX
Le mercredi 5 juin 2024 à 13:53, Gellner, Oliver via mailop
a écrit :
> On 05.06.2024 at 09:48 Cyril - ImprovMX via mailop wrote:
>
> > I got a few suspicious emails from a user.
> > I wanted to check the DKIM Signature of that domain to validate the
> > ownership but the emails are coming from Microsoft, which signs the email
> > using "{domain name}http://aotearoaenergy.onmicrosoft.com";
> > In my case, the sender is from aotearoa.energy and the d= part of the
> > dkim-signature is http://aotearoaenergy.onmicrosoft.com
>
> > Now, I wonder. Can I trust Microsoft that if they send an email on behalf
> > of aotearoa.energy, they initially validated the ownership or is there a
> > way to bypass that?
>
>
> There is some validation, but researchers have discovered various ways to
> send emails on behalf of a domain without:
> https://www.usenix.org/conference/usenixsecurity21/presentation/shen-kaiwen
> https://research.utwente.nl/en/publications/forward-pass-on-the-security-implications-of-email-forwarding-mec
> https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
> Besides that Microsoft does not enforce MFA for email accounts, so a weak or
> reused password of one user is all that it takes to send authenticated emails
> from that domain.
>
> I'd closely check the headers whether anything looks suspicious.
>
> --
> BR Oliver
>
>
> dmTECH GmbH
> Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe
> Telefon 0721 5592-2500 Telefax 0721 5592-2777
> dmTECH@dm.demailto:dmt...@dm.de * www.dmTECH.dehttp://www.dmtech.de
>
> GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927
> Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher
>
> Datenschutzrechtliche Informationen
> Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser
> ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in
> Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder
> sich bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen
> unter anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren
> Rechten sowie die Kontaktdaten unserer Datenschutzbeauftragten finden Sie
> hierhttps://www.dm.de/datenschutzerklaerung-kommunikation-mit-externen-493832.
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
Re: [mailop] How to ensure ownership from a Microsoft email?
On 05.06.2024 at 09:48 Cyril - ImprovMX via mailop wrote:
> I got a few suspicious emails from a user.
> I wanted to check the DKIM Signature of that domain to validate the ownership
> but the emails are coming from Microsoft, which signs the email using
> "{domain name}http://aotearoaenergy.onmicrosoft.com";
> In my case, the sender is from aotearoa.energy and the d= part of the
> dkim-signature is http://aotearoaenergy.onmicrosoft.com
> Now, I wonder. Can I trust Microsoft that if they send an email on behalf of
> aotearoa.energy, they initially validated the ownership or is there a way to
> bypass that?
There is some validation, but researchers have discovered various ways to send
emails on behalf of a domain without:
https://www.usenix.org/conference/usenixsecurity21/presentation/shen-kaiwen
https://research.utwente.nl/en/publications/forward-pass-on-the-security-implications-of-email-forwarding-mec
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
Besides that Microsoft does not enforce MFA for email accounts, so a weak or
reused password of one user is all that it takes to send authenticated emails
from that domain.
I'd closely check the headers whether anything looks suspicious.
--
BR Oliver
dmTECH GmbH
Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe
Telefon 0721 5592-2500 Telefax 0721 5592-2777
dmt...@dm.de * www.dmTECH.de
GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927
Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher
Datenschutzrechtliche Informationen
Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser
ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in
Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder sich
bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen unter
anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren Rechten sowie
die Kontaktdaten unserer Datenschutzbeauftragten finden Sie
hier.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
Re: [mailop] How to ensure ownership from a Microsoft email?
It appears that Cyril - ImprovMX via mailop said: >Now, I wonder. Can I trust Microsoft that if they send an email on behalf of >aotearoa.energy, they initially >validated the ownership or is there a way to bypass that? tl;dr It's self service with, as far as I can tell, no validation at all. In my experience, mail from whatever.onmicrosoft.com is overwhelmingly phishes and spam. Anyone with a real business should be using their own domain to send mail from MS 365 rather than an onmicrosoft one. R's, John ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] How to ensure ownership from a Microsoft email?
On 5 June 2024 08:57:38 Cyril - ImprovMX via mailop wrote: All of this because Microsoft is unable to properly sign an email with the sender's domain to prove ownership... All of that because the tenant administrator hasn't set up the Exchange Online service to sign outbound with their own domain, so it gets the default DKIM signature of the tenancy domain (the onmicrosoft bit). In order to use a domain as an outbound sending domain, the domain owner has to validate it in their DNS - so they've done that. The tools are there, they just have to be used properly. Graeme ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
[mailop] How to ensure ownership from a Microsoft email?
Hi everyone!
I got a few suspicious emails from a user.
I wanted to check the DKIM Signature of that domain to validate the ownership
but the emails are coming from Microsoft, which signs the email using "{domain
name}[.onmicrosoft.com](http://aotearoaenergy.onmicrosoft.com)"
In my case, the sender is from aotearoa.energy and the d= part of the
dkim-signature is aotearoaenergy.onmicrosoft.com
Now, I wonder. Can I trust Microsoft that if they send an email on behalf of
aotearoa.energy, they initially validated the ownership or is there a way to
bypass that?
For those curious, the story is absolutely shady but valid at every step:
I got an initial email from "TP Icap", but with the domain "icap.com" saying
they acquired aotearoa.energy.
I checked and it's true, TP Icap really acquired the service Aotearoa.
If you go to aotearoa.energy, you'll see a blank "NGINX" page, and if you go to
www.aotearoa.energy, you'll get ... a logo.
A few days later, I got an email from them about an onboarding questionnaire
that I have to fill (but first need to create an account on another service,
Process Unity system).
This questionnaire includes general informations (company name, address, etc)
but also asks me about bank details!
All of this because Microsoft is unable to properly sign an email with the
sender's domain to prove ownership...
Cyril - [ImprovMX](https://improvmx.com)___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
