Join Log in
Score:0
sglessard avatar Server

Hotmail does not flag or remove phishing messages from email addresses on a domain with SPF enabled

co flag
sglessard

The email address of the sender of our newsletter is used for phishing purposes. We do have a valid SPF record (ends with -all) and dmarc on our domain (confirmed by mxtoolbox.com : every checks are green/good). However, some hotmail.com and yahoo subscribers are receiving the bad messages.

Delivered message header example (replaced my domain by mydomain.com):

Received: from AM0EUR02FT053.eop-EUR02.prod.protection.outlook.com
 (2603:10a6:203:a3:cafe::24) by AM5PR0602CA0015.outlook.office365.com
 (2603:10a6:203:a3::25) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6411.17 via Frontend
 Transport; Thu, 18 May 2023 20:00:29 +0000

Authentication-Results: spf=fail (sender IP is 74.220.218.251)
 smtp.mailfrom=mydomain.com; dkim=none (message not signed)
 header.d=none;dmarc=fail action=quarantine
 header.from=mydomain.com;compauth=fail reason=000

Received-SPF: Fail (protection.outlook.com: domain of mydomain.com does not
 designate 74.220.218.251 as permitted sender)
 receiver=protection.outlook.com; client-ip=74.220.218.251;
 helo=outbound-ss-2173.bluehost.com;

Received: from outbound-ss-2173.bluehost.com (74.220.218.251) by
 AM0EUR02FT053.mail.protection.outlook.com (10.13.55.226) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.6411.14 via Frontend Transport; Thu, 18 May 2023 20:00:28 +0000
X-IncomingTopHeaderMarker:
 OriginalChecksum:DA2D70975B34AF56A4C6BB7C8F702F23F79F3DC78ECCEAF1A0837B45D961804C;UpperCasedChecksum:C8456286D1E9561E0C8180B32877B9F796154342C827979774F79B83E92CE58D;SizeAsReceived:2147;Count:30

Received: from cmgw14.mail.unifiedlayer.com (67-20-127-198.unifiedlayer.com [67.20.127.198])
      by soproxy8.mail.unifiedlayer.com (Postfix) with ESMTP id C2B028048C4A
      for <[email protected]>; Thu, 18 May 2023 20:00:27 +0000 (UTC)

[...]
X-SID-Result: FAIL
X-Microsoft-Antispam: BCL:4;

X-Microsoft-Antispam-Mailbox-Delivery:      abwl:0;wl:1;pcwl:1;kl:0;dwl:0;dkl:0;rwl:0;ucf:0;jmr:0;ex:0;psp:1;auth:0;dest:I;OFR:TrustedSenderList;ENG:(5062000305)(90000117)(90012020)(91020020)(90015022)(91040095)(9050020)(9100338)(2008001134)(4810010)(4910033)(8820095)(9610025)(9525003)(10145022)(9439006)(9310011)(9220031);

[...]

All SPF/dmarc/etc tests fail but the message is still delivered in the inbox. Why is Hotmail letting them through?

Thanks,

246
1 + 7
spf
Reinto avatar
es flag
Reinto
Could have multiple causes, but these are the most common: a) Recipient safe listed the newsletter email address or your entire domain, b) Although DMARC suggests to quarantine, Hotmail will actually deliver to Junk, because of absence of quarantine functionality, c) mailbox or forwarding rules overwrite the initial Junking. Have you checked these options with the recipients?
0
Reply
joeqwerty avatar
cv flag
joeqwerty
We're not Hotmail support and therefore cannot answer this question as to why they delivered the email to the recipient. Reach out to Hotmail support and ask them for a definitive answer.
4
Reply
Reinto avatar
es flag
Reinto
I agree we're not Hotmail support (or Yahoo for that matter), but still believe the question is valid on why (multiple) big MSPs are delivering emails to Inbox while they are clearly failing DMARC authentication. In the real world I see many newsletters advising their recipients to safe list their address "to never miss a thing". In my opinion DMARC should overwrite Safe Listing. Would you agree @joeqwerty
1
Reply
joeqwerty avatar
cv flag
joeqwerty
@Reinto the point is though, that we don't know why Hotmail delivered the email to the recipient and there's no way for us to find out, therefore this question can't be answered here. We can speculate, but that would just be... speculation.
0
Reply
sglessard avatar
co flag
sglessard
@joeqwerty I agree with you. I was just wondering if I was missing something, from the log i've post.
0
Reply
Reinto avatar
es flag
Reinto
@sglessard Is the header information from an email that actually went into the Inbox of a subscriber? If so, from it you can distil information about why the email was accepted into the Inbox instead of being junked. For example you could look for the X-Microsoft-`Antispam-Mailbox-Delivery` header. While we cannot definitively answer your question, there's a good chance, with a little help, you can. And, I do believe that information might be helpful in an answer to this question on ServerFault.
0
Reply
sglessard avatar
co flag
sglessard
@Reinto I edited the question with the `X-Microsoft-Antispam-Mailbox-Delivery` header. I guess that user had added the sender address in Trusted senders. Because of this, Outlook skips the SPF/dmarc/dkim auth checks. Thanks for your input.
1
Reply
Score:1
Reinto avatar Server
es flag
Reinto

It is common for newsletters to request for recipients to add the newsletter email address to the address book or safe senders list. This practice actually creates a hole in the SPAM filtering policies (for many of the larger Mailbox Service Providers) as safe listed addresses are generally delivered into the Inbox, overruling email authentication results.

In the example email from Hotmail, even though the Spam filtering there is not well-documented, we can tell from the naming of the tags what is happening:

  • abwl:0 - Address Book White Listing = False
  • wl:1 - White listing = True
  • pcwl:1 - Personal Contact (?) White Listing = True
  • dwl:0 - Domain White List = False
  • auth:0 - Authenticated = False
  • dest:I - Destination = Inbox (as opposed to dest:J for destination = Junk)
  • OFR:TrustedSenderList - Override Reason = address on Trusted Sender List

Above interpretation could be wrong on some of the tags, but I hope we can agree on the reason for why these emails sometimes end up in the Inbox folder, while you would have expected these to be Junked or Quarantined: User added address (or domain) to address book or Safe Senders.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.