Exchange Online Protection (EOP), also known as Office 365, will soon be supporting DMARC for authenticating email which is a feature designed to combat phishing and spoofing of email. If you’re unfamiliar with DMARC, here are a few links that explain it:

• My own blog post: A brief introduction to DMARC
  http://blogs.msdn.com/b/tzink/archive/2014/11/04/a-brief-introduction-to-dmarc.aspx
  
  
• My article for Virus Bulletin: Using DMARC to improve your email reputation
  https://www.virusbtn.com/pdf/conference/vb2014/VB2014-Zink.pdf
  
  
• Video: My presentation on DMARC from Virus Bulletin
  https://www.youtube.com/watch?v=wxX-XknaMYQ
  
  
• Slideshare: DMARC training at the NANOG conference
  http://www.slideshare.net/kka7/fighting-email-abuse-with-dmarc?qid=5e90be27-3fc0-41ed-9d71-253978cc6a12&v=default&b=&from_search=2
  
  
• DMARC overview and specification
  http://dmarc.org/

You can read through any number of the above links to see how DMARC works. Office 365 does things a little bit differently as I will explain below.

How to enable DMARC in Office 365

You don’t have to do anything to enable DMARC in Office 365. After we finish rolling it out, it will be enabled automatically. To verify that it is working, EOP adds the following DMARC verification information to the Authentication-Results header: 

Authentication-results: protection.outlook.com; spf=pass 
  (sender IP is xx.xx.xx.xx) smtp.mailfrom=user@contoso.com
dkim=none (message not signed) header.d=none; dmarc=none
action=none header.from=contoso.com;

The dmarc=<result> indicates whether the message passed or failed DMARC, with a range of actions that include pass, fail and none. 

The action=<action> indicates what the spam filter’s action will be based on the DMARC result, described below.

Behavior of DMARC for inbound messages in Office 365

One of the key changes that Office 365 has made that differs from the DMARC specification is how it treats messages that fail DMARC for inbound messages. If the DMARC policy says p=reject, EOP will mark the message as spam instead of rejecting it. In other words, for inbound email,EOP treats p=reject and p=quarantine the same way.

The reason for this is that there is some legitimate email that fails DMARC. Examples include sending email to mailing lists which is relayed to all list participants, and “Send-to-a-friend” articles from newspaper websites. If EOP rejected these messages per the DMARC specification, people could lose legitimate email with no way to retrieve it.

In EOP’s implementation, these types of emails will still fail DMARC but they will be marked as spam. However, users can still get them to their inboxes by adding safe senders or by administrators creating Exchange Transport rule (ETR) Allow for those particular senders. When the DMARC Working Group adds support for these types of messages, EOP will support it. But for now, this is the way it works.

If EOP overrides the p=reject action, this is indicated in the headers by putting an o.reject into the action=<action> field. For example:

dmarc=fail action=o.reject

This means that the message failed DMARC and the policy was p=reject, but EOP overrode the verdict to subsequently mark it as spam. A safe sender or ETR may yet override that verdict.

If a message fails DMARC and the action is reject or quarantine, but the message has a pct=<value> which says to not apply the DMARC action to every message, this is indicated by adding the pct tag to the action. For example:

dmarc=fail action=pct.quarantine

This means that the message failed DMARC and the action was quarantine, but the pct field was not 100% and the system randomly determined not to apply the DMARC action, as per the specified domain’s policy.

Behavior of DMARC for outbound messages in Office 365

EOP more-or-less follows the DMARC specification for outbound messages. If a message is outbound from EOP and fails DMARC, then if the action is p=quarantine it will be routed through the High Risk outbound IP pool. However, if the message fails DMARC and the action is p=reject, the message will be rejected. There is no override for outbound email.

If you publish a DMARC reject policy (not p=quarantine, and not p=none), no other customer in Office 365 can spoof your domain because they will not be able to pass SPF or DKIM for your domain when relaying a message outbound through the service.

However, if you do publish a DMARC reject policy but don’t have all of your email authenticated, some of it may be marked as spam for inbound email (as described above), or it will be rejected if you do not publish SPF and try to relay it outbound through the service.

How you can use DMARC if you use Office 365

If you’re an Office 365 customer, here’s how to make the most out of Office 365:

1. If you’re a small customer and your domain doesn’t get spoofed, you don’t have to do anything!
   
   DMARC will start working to block more spam and phishing for you automatically.
   
   You may have to add safe senders or ETRs that allow mail from certain senders because they fail DMARC simply because of the way the email is sent (e.g., mail sent to distribution lists, send-to-a-friend). This is a minority of total legitimate email but some customers may be more sensitive to it than others. In parallel, EOP is working on ways to proactively exclude known good senders from DMARC failures but does not have an exhaustive list.
   
   
2. If you’re a large customer that is prone to spoofing, or even a small sender that gets spoofed, you will need to set up DMARC records if you don’t have them already.
   
   SPF records are not sufficient, you need to set up DMARC records.
   
   a) First, determine if all of your email is authenticated.
   
   If so, you may be fortunate enough to publish a p=reject DMARC policy.
   
   However, most domains need a try-before-you-buy strategy. You can publish a DMARC policy with action=none and collect data.
   
   
   b) Second, it is useful to pick a 3rd party to work with to collect and analyze DMARC reports.
   
   Three from the industry are:
   
   - Agari,http://agari.com/– Microsoft used Agari to improve its SPF authentication
   - ReturnPath, http://www.returnpath.com/– provides good tools for senders and receivers
   - DMARCIAN, https://dmarcian.com/– has some good tools for smaller domains
   
   It is not required to set this up, however, the tools these companies provide make it possible to sort through large amounts of data very quickly.
   
   
   c) Set up DMARC records.
   
   Even if you can’t publish p=reject or p=quarantine, you can still publish p=none and collect feedback. For example, below is Microsoft’s DMARC record (published at the TXT record for _dmarc.microsoft.com):
   
   _dmarc.microsoft.com.   3600    IN      TXT     "v=DMARC1; p=none; pct=100; rua=mailto:d@rua.agari.com; ruf=mailto:d@ruf.agari.com; fo=1"
   
   Microsoft sends its DMARC reports back to Agari, a 3rd party.
   
   Once this record is published, all receivers who support DMARC – including Office 365 when the feature is released – will start checking DMARC and sending reports. You can use these reports to authenticate all of your email if you have published p=none so that you can eventually move to p=reject.
   
   
   d) Something unique to Office 365 – you can create a rule that applies only to your own inbound mail flow.
   
   Many companies publish p=none because they are unsure about how much email they may lose by publishing a more restrictive DMARC policy. Microsoft, for example, is not yet in a position to publish p=reject because email sent to other third parties like Gmail, Yahoo, AOL, and so forth may discard important email if it does. Your company may be in the same position.
   
   If you set up DMARC records, you can create an ETR that marks messages as spam for spoofed messages of your company that fail DMARC. This means that all spoofed email of your domain into Office 365 will be marked as spam, but anywhere else – at Gmail, Yahoo, AOL – will not be marked as spam (at least not due to DMARC). Some legitimate email may be marked as spam, but to get around this either ensure that the email is authenticated by updating SPF records or signing it with DKIM; or, add a safe sender or ETR allow rule for the sender.
   
   The ETR will look something like the following. You may want to add exceptions to the rule for known senders who spoof your domain but are not malicious.
   
   The advantage of this is that your domain cannot be spoofed by outside senders for inbound messages to your organization which is common in spear phishing, yet marketing messages that go over the Internet are not affected.
   
   You should still properly authenticate your email because it reduces false positives and it shrinks the list of exceptions. If you publish p=reject you will no longer need this rule.
   
   
   
   

That concludes how to use DMARC in Office 365. DMARC is a step forward in fighting spam and phishing, and Office 365 allows customers to further tweak it to get even more value out of it.

When signing up for anonymous inbound IPv6 support in Office 365, Office 365 requires that senders over IPv6:

1. Send email from an IP with a PTR record
2. The sending message must pass either SPF or DKIM

Office 365 customers are given a special tag to publish in their MX records which the service resolves. Suppose that Contoso, whose domain is contoso.com, is an IPv4-only customer. Their MX records that they publish in their DNS look like the following:

contoso.com.        3599    IN    MX    5 contoso-com.mail.protection.outlook.com.

Which resolves to: 

contoso-com.mail.protection.outlook.com. 9 IN    A 207.46.163.138
contoso-com.mail.protection.outlook.com. 9 IN    A 207.46.163.215
contoso-com.mail.protection.outlook.com. 9 IN    A 207.46.163.170

Contoso publishes their mx record contoso-com.mail.protection.outlook.com, but Office 365 then resolves that domain with the above A-record (since Office 365 owns the zone fileprotection.outlook.com).

When a customer enables IPv6, their MX records look like the following:

contoso.com.        3599    IN    MX    5 contoso-com.mail.protection.outlook.com.

Which resolves to:

contoso-com.mail.protection.outlook.com. 9 IN    A 207.46.163.138
contoso-com.mail.protection.outlook.com. 9 IN    A 207.46.163.215
contoso-com.mail.protection.outlook.com. 9 IN    A 207.46.163.170
contoso-com.mail.protection.outlook.com. 9 IN    AAAA 2a01:111:f400:7c10::1:10
contoso-com.mail.protection.outlook.com. 9 IN    AAAA 2a01:111:f400:7c09::11
contoso-com.mail.protection.outlook.com. 9 IN    AAAA 2a01:111:f400:7c10::10

Both IPv4 and IPv6 resolve to the same MX priority and it’s up to the sending mail server to pick which one to use. However, because mail servers are supposed to prefer IPv6 over IPv4, most will start with IPv6.

The problem of dual stack IPv4 and IPv6 at the same MX priority

There are a lot of mail servers that send over IPv4 no matter what. And, there are mail servers that will send over IPv6 first (examples include LinkedIn, Gmail, and Office 365 itself). This is fine for senders who authenticate, but what about small senders?

We still live in a day and age where many senders don’t publish SPF records. This includes a lot of small businesses who go to a registrar, get a domain, and send email the same day. They don’t know anything about SPF. Indeed, in Office 365, only 80% of the inbound email we receive has an SPF record and this is heavily skewed by a few large senders.

What frequently happens is that a small business uses their ISP that has properly set up PTR records for their infrastructure to send email. But their ISP then sends email over IPv6 instead of IPv4 and the sender receives a bounce, saying “Huh? What’s SPF? What’s DKIM? I don’t get it.”

For a small receiver like myself, I get email from a few sources like newsletters, and friends and family on large mail providers. Large mail providers all authenticate their email, and so do good newsletters. That’s because their business is getting email delivered so they are on top of things.

But small businesses and senders are not. For someone like me, it doesn’t matter because I don’t have anyone like that who regularly communicates with me. But for a large business that deals with lots of senders, they will lose some legitimate email from senders who don’t authenticate because they don’t know anything about email authentication and their mail provider picks IPv6, unbeknownst to them.

A workaround for IPv6

There is a workaround for this problem. It is not officially endorsed by Office 365 but it should work, I tested it the other day. What you need are two domains whose MX is hosted by Office 365.

This shouldn’t be a problem. If you are a customer with a custom domain, you will have your custom domain plus <yourname>.onmicrosoft.com, for example, contoso.com and contoso.onmicrosoft.com. You get the *.onmicrosoft.com automatically even if you never use it. Alternatively you could create a domain that is used specifically for this purpose.

Your two domains’ MX records would then be the following:

contoso.onmicrosoft.com. 21599    IN MX    10 contoso.mail.protection.outlook.com.

contoso.com.    3599    IN    MX    10 contoso-com.mail.protection.outlook.com.

What you can do is the following – if you want to enable contoso.com for IPv6 (because that is the domain you send email from, not contoso.onmicrosoft.com):

1. Request to have your primary domain enabled for IPv6, in this case contoso-com.mail.protection.outlook.com.
   
   
2. Update your DNS records for this domain’s MX records.
   
   For your primary domain (the one you want enabled for IPv6), publish your non-primary domain MX – the one that is IPv4 only - as the higher MX priority (lower number in DNS), and the primary domain’s MX – the one that is IPv6 and IPv4 – as the lower MX priority (higher number in DNS).
   
   For example:
   
   contoso.com.    3599    IN    MX    0 contoso.mail.protection.outlook.com.
   contoso.com.    3599    IN    MX    10 contoso-com.mail.protection.outlook.com.
   
   Which resolves to:
   
   contoso.mail.protection.outlook.com. 9 IN    A 207.46.163.138
   contoso.mail.protection.outlook.com. 9 IN    A 207.46.163.215
   contoso.mail.protection.outlook.com. 9 IN    A 207.46.163.170
   
   contoso-com.mail.protection.outlook.com. 9 IN    A 207.46.163.138
   contoso-com.mail.protection.outlook.com. 9 IN    A 207.46.163.215
   contoso-com.mail.protection.outlook.com. 9 IN    A 207.46.163.170
   contoso-com.mail.protection.outlook.com. 9 IN    AAAA 2a01:111:f400:7c10::1:10
   contoso-com.mail.protection.outlook.com. 9 IN    AAAA 2a01:111:f400:7c09::11
   contoso-com.mail.protection.outlook.com. 9 IN    AAAA 2a01:111:f400:7c10::10

What happens is that an IPv4-only email sender to @contoso.com will pick highest priority MX, in this case, the one that is MX 0 which only advertises IPv4 addresses.

However, an IPv6-only email sender to @contoso.com will iterate through the MX records, looking for IPv6 AAAA records until it finds one. It finds it at the lower MX (10) priority.

A dual-stack sender, one that sends over both IPv4 or IPv6, will only send over IPv4 unless the mail server is unavailable and retries over multiple MX records, or sends to the secondary MX (which some senders do – I’m looking at you backcountry.com).

Benefits and drawbacks of this method

This is not an officially endorsed way of receiving email over IPv6.

For one thing, customers have to play around with MX records in DNS rather than simply publishing what we tell them to with a straightforward one-to-one mapping. Setting up DNS records is not most people’s core competency.

Second, the entire point of requiring SPF and DKIM is to move the industry forward – 20% of email does not have SPF and it’s more than that in terms of unique senders because big senders (Facebook, LinkedIn, Twitter, etc.) have so much more email that account for the majority of mail sent, but not the majority of unique senders. This workaround lets unauthenticated email stay unauthenticated.

Still, this requirement does not remove the minimum sending requirements for IPv6 (PTR + SPF or DKIM); it only allows “poor” senders to stay on IPv4. But if you’re going to send on IPv6 intentionally you probably already have PTRs + SPF and DKIM set up.

This workaround lets you receive email over IPv6 if you have a lot of unauthenticated senders by encouraging them to stay on IPv4. And, the IPv6 senders will still be able to reach you because they probably know what they are doing. We still prefer you have dual stack IPv4/IPv6 MX records at the same priority.

But if you can’t, you can try this.

Related Articles

• Support for anonymous inbound email over IPv6 in Office 365
  http://blogs.msdn.com/b/tzink/archive/2014/10/28/support-for-anonymous-inbound-email-over-ipv6-in-office-365.aspx
  
  
• How to create Allow rules for senders in Office 365 over IPv6
  http://blogs.msdn.com/b/tzink/archive/2014/10/28/how-to-create-allow-rules-in-office-365-for-senders-over-ipv6-and-also-for-ipv4.aspx

Over the past two weeks, Office 365 (Exchange Online Protection) has improved its detection of spam, phishing and malware by increasing the number of URLs in its reputation lists. Two months ago we were at 750,000 URLs, we are now at 1.7 million – an increase of almost 100%!

Secondly, we decreased the amount of time between refresh intervals; that is, the time between when we download a new list and when those first are replicated across the network has shrunk. I don’t have the exact before and after numbers (i.e, I could be off on the numbers by a wide margin), but it’s something like this - We used to be at 30-45 minutes, now we are 15-17 minutes. We are going to be shrinking that window even further.

If you’re a customer, you’ll notice a change immediately be seeing fewer spam messages in your inbox. You may have even noticed it a couple of weeks ago.

That’s not all the changes that are coming, though:

• Even more URL reputation lists.
  
  We’re at 1.7 million URLs, and we’re always checking to see if new lists can help us even more.
  
  
  
• Reducing the replication time even more.
  
  We’ve made great strides in how fast we can distribute new lists, and we want to make sure we can push out the data even faster to shrink the window of when a new malicious URL appears to when our customers are protected.
  
  
  
• Changes to the email client to identify phishing and malware.
  
  One of the things we are working on is making the mail client (e.g., Outlook, Outlook Web Access) work better with the spam filter. One of the problems that companies face is that even when a message is detected as spam or phishing, users can still dig into their junk folders or spam quarantines, think the message is real but mistakenly marked as spam, and then take action on it. “Why is that message from Bank of America in my junk folder? I better check it out.”
  
  Well, it turns out there is something we can do. Two of the URL lists we use – Spamhaus’s Domain Block List (DBL) and the SURBL list – divide up their lists into categories. Both of these have sub-categories of malware and phish. We can make the mail client understand that the spam filter thinks these messages contain links to malware or phishing links and then disable the links in the message.
  
  Your Outlook and OWA mail clients disable messages if they are marked as spam and sent to the quarantine. But, you can still rescue them and inspect them. By modifying the mail client, users can still go into their junk folders and quarantines and rescue the message but the mail client still prevents them from taking action as if to say “We know you think it’s legitimate but trust us – it’s not.”
  
  This is still in the early stages but we think that getting your email client to work together with the mail filter will help add an additional layer of security to protect users and organizations better.

Those are some of the recent changes to Office 365, as of December 2014. As always, if you have problems or want to say “Hey, good to see this!”, let us know.

For several months now, I have been thinking about starting a podcast – Terry Zink: Security Talk (which coincidentally happens to be the name of this blog). I’ve been toying with this idea since summer of 2014.

I’ve put it off because I am not sure I have enough content or if I want to put the work into it. I don’t write that much on my blog anymore, so by what logic do I think I can maintain a podcast?

But I keep thinking about it so I obviously want to do it.

The theme of the podcast will be similar to this blog except that I will go a bit deeper into certain topics about security, discuss psychological aspects of why people fall for scams, and I hope to interview guests from across the Internet about security.

I’m in the process of pulling things together. If I do it, I commit to make at least 2 podcasts.

Stay tuned!

One of the improvements to the Exchange Online Protection (EOP) service, also known as Office 365, that has been released over the past few weeks is IP throttling [1].

Office 365’s implementation looks at IP reputation, inspects the IP’s sending history, and makes decisions about whether or not to allow the message. The idea behind this is that spammers will routinely rotate through IP addresses every single day. The IP has no sending history and is not on any IP reputation list. So, they spin up a new spam campaign and pump as much spam through as they can before these reputation lists can catch up.

It was a pain point for our customers for a few months this year because of a new spammer that we saw that made extensive use of this.

No more.

Office 365 now makes use of basic IP throttling where sending email from a brand new IP is no longer advantageous; indeed, it now works against senders. For spammers, this is bad and for our customers, this is good. It means that this type of spam is greatly reduced (our internal statistics show a major decrease in spam from new IPs because of this). But the flip side is that there are lots of good senders that spin up email from new IPs, or have erratic sending patterns, but are not sending spam. Unfortunately, they sometimes trip up the same IP throttling patterns. We try to fix these as we encounter them.

That’s one of the recent changes to Office 365, as of January 2015. As always, if you have problems or want to say “Hey, good to see this!”, let us know.

If you’re wondering when Office 365 is going to release inbound validation for DKIM-on-IPv4 and DMARC support, I have an update for you.

1. We are currently evaluating DKIM-on-IPv4 everywhere in the service but are fixing the remaining bugs
   
   Today, we stamp the DKIM results in a temporary header, X-DkimResult (or X-DkimResult-Test), but eventually we will stamp it in the Authentication-Results header. For example, if the signing domain in the d= field in the DKIM-Signature header is d=example.com:
   
   Authentication-Results: spf=pass (sender IP is 1.2.3.4)
     smtp.mailfrom=user@example.com; contoso.com; dkim=pass (signature
     was verified) header.d=example.com;
   
   The temporary header does show the DKIM evaluation but we found that there were problems when the Exchange mail server was modifying (formatting) message content. We have addressing the remaining corner cases as we find them and have driven down the number of DKIM failures that weren’t really failures but instead were caused by Content Transformation (an agent in Exchange that formats messages).
   
   I have some rules in my personal tenant that look for DKIM failures based upon that temporary header and I can confirm that they have decreased dramatically.
   
   
2. We have to fix a bug with the Authentication-Results stamping
   
   We have a bug where the Authentication-Results header is being overwritten; it’s stamped but then stripped and stamped again but the DKIM result is not included (this is due to some infrastructure in the spam filter that we are replacing). We need to fix that because stamping the results of DKIM in clear text is important.
   
   
   
3. Even after we release DKIM, there will still be some problems if downstream mail servers try to re-authenticate
   
   As I mention above, the Exchange mail server formats message content. We evaluate DKIM before the content has been transformed, but the email is recreated and passed to the mailbox storage (or passed to another outbound connector) after the message has been transformed. We have to fix that but it won’t be done before we release DKIM. This issue occurs on all versions of on-premise Exchange except Exchange 2013 that has the latest updates.
   
   
4. There’s a problem with DMARC where customers whose primary MX records do not point to Exchange Online Protection (EOP) generate DMARC failures
   
   This is described in point #3 in my blog post How to use DMARC in Office 365. Basically, we were seeing DMARC failures and it didn’t make sense, but upon troubleshooting we noticed it is because customers sometimes route email through themselves first which can break DMARC under certain circumstances.
   
   We are working on a solution for this.

We are aiming to release DKIM-on-IPv4 and DMARC in Q1 of 2015, but the above describes where we are right now.

I sometimes think to myself about how little progress has been made in Internet security in general since I first started working in it 10 1/2 years ago.

To be sure,  lots of things have come out:

• Email authentication techniques
• Multi-factor authentication for logging into email accounts, social media accounts, etc.
• TLS for transmitting data securely
• Anti-malware products
• Extended Validation SSL certificates
• Plus the tons of things I haven’t mentioned

We are so much further ahead now than we were back then that it makes me smile when I look over the list of technologies that have made us safer.

But what is even more mind boggling is the scope of the data breaches and cyber security breakdowns that still occur today despite all of this technology:

• DDOS attacks are still a thing
• Botnets and crimeware-as-a-service still exists and is getting better
• Target and Home Depot suffered hacks that leaked millions of records and plenty of fraudulent charges racked up
• Sony was hacked and suffered huge data loss

The question in my mind is that if security technology has gotten better then why does the impact of a security failure keep getting worse? Shouldn’t it be getting more and more contained?

In Stephen Pinker’s book The Better Angels of our Nature, he observes that in spite of all the headlines that lead us to believe the contrary, humanity has been getting steadily less violent over time. There are a variety of reasons for this, but basically, society is changing for the better so we can learn from the things we did wrong and more importantly, also from the things we are doing right that have led to this drop in violence.

But cybersecurity is not displaying this same trend. If anything, my job has gotten more and more difficult as time passes. The problem is getting worse.

Disclaimer: This may simply be the availability heuristic. I am close to the data and therefore I think things are getting worse because I hear about it all the time because of the industry I am in, when in reality things are getting better. I tend to doubt that, but then again, of course I would – my brain won’t let me see things any other way.

So why are things getting worse?

I have a theory. I call it “The Red Queen Theory of Cybersecurity” [1] or its CNAME “The Red Queen Theory of Internet Security”. It’s a term I am borrowing from evolutionary theory [2] and it comes out of Lewis Caroll’s sequel to Alice in Wonderland, Through the Looking Glass.

In Looking Glass land, the Red Queen explains to Alice the nature of the land. At the top of a hill, the Red queen begins to run, and Alice begins to chase after her. Alice is confused by the fact that even though they are running, they are staying in exactly the same place. Alice asked the queen why this is and the Red Queen remarks, “Now here, you see, it takes all the running you can do to keep in the same place.”

In evolutionary terms, this hypothesis proposes that species must constantly evolve and adapt not to gain a reproductive advantage over other members of the same species, but also to survive when faced with simultaneously other opposing organisms in a changing environment. So, as you evolve, so do parasites that are feeding on and weakening your body. You react to these parasites and evolve defenses. The parasites start dying off and evolve to continue to feed. You have to counter-evolve against this counter-evolution to fight off the parasites invading your body. And so forth.

Neither you nor the parasites are gaining any sort of competitive advantage. You are evolving just to prevent dying off, and so are the parasites. Your competitive advantage is not that you can reproduce faster than your peers, but that you can reproduce at all without being killed off by others who need your body to survive. You haven’t made any progress at all, just like that guy who kept rolling that rock up the hill only to see is slide down again. [3]

It’s worse than a Hobbesian trap (that is, an arms race). In an arms race, you build up your defenses because you think your opponent may strike you, and they believe the same thing, so you always leapfrog each other. But in the Red Queen theory, you build up your defenses because your opponent is striking you!

For all of our sophisticated immunities, we haven’t made much progress. We are only running faster and faster just to stay in the same place.

[1] Technically, this is a hypothesis.

[2] I copy/pasted a little bit from Wikipedia.

[3] I know his name is Sisyphus.

I read an article yesterday entitled Cyber thieves stole $215 million from businesses using hacked email addresses. How did they do it? Here’s a key except:

Here's a nightmare scenario: You're working in the accounts department, when you receive an email from your boss, asking that you urgently wire one of the company's foreign suppliers a five-figure sum that has been somehow missed. You do, and then you email your boss to let him or her know—only to receive an email back that reads, "Which wire transfer?"

Yep, you've been scammed—and according to a recent alert from the FBI, it's one that cyber thieves have used to pilfer almost $215 million from businesses over the past 14 months… Rather than spamming thousands of people at a time as with a regular email scam, the "business email compromise" (BEC) swindle specifically targets businesses known to work with foreign suppliers or other businesses, and to routinely use wire transfer payments.

As the article says, this is a nightmare scenario, and it is becoming more common. So how do we stop it?

One way to do it is with DMARC which protects the From: address that you see in your email client. Many corporations use Microsoft Exchange which shows your picture when the sending email address matches the person’s account information in Active Directory, for example:

Many people looking at that would be tempted to think it was a legitimate message sent from me. After all, it’s got my picture next to it.

But in this case, it’s not from me, it is spoofed. And that’s where DMARC comes in; it helps protect the From: address from spoofing, and that’s the one you really want to protect because in the corporate environment it really looks like it is an internal message, and therefore your guard is down.

This is one reason why DMARC is critically important for businesses – it helps cut down on malicious spoofing like this which is how hackers break in much (most?) of the time. You need to deploy DMARC!

For more information on how to do this in Office 365, please see this previous blog post: Using DMARC in Office 365.

Now, in this article, I did take a few liberties. The article is not about spoofed messages from the outside but instead hacked accounts from the inside. That is, a hacker broke into someone’s account by stealing his username and password. He then logged into that account and sent a message from his account (i.e., a real message) to someone else. In this case, DMARC wouldn’t work because it is an internal message and would have passed DMARC if it even would have been scanned at all.

Those types of compromises are more difficult to detect so you have to have a product that monitors those sorts of things – intrusion detection and hackers moving laterally. There are a few products out there that do this sort of thing.

Security needs to be done in layers and this article, and this blog post, illustrates why – because the type of detection is different depending on where the threat is coming from.

It’s finally here, the Terry Zink: Security Talk podcast!

This podcast is a short introduction about what this podcast is all about. Who am I? Why am I doing this? And what will I be discussing? Just remember that this is myvery first podcast. There are some issues with quality but I promise they will get better as I go along.

To listen to the podcast (11 min, 47 seconds):

1. You can stream it below by clicking the “Play” button.

2. You can download it locally by right-clicking and clicking “Save As…” (or, this will play in your default music playing software)

Terry Zink: Security Talk, Episode 1

3. Coming soon: links to listen to it on iTunes, Google’s Marketplace and the Windows Store marketplace.

I hope you enjoy it! If you don’t, the second episode will be better.

This podcast is episode 2 of the Terry Zink: Security Talk podcast – The Red Queen theory of cyber security. This goes over my previous blog post here: Blog post - The Red Queen theory of cyber security To listen to the podcast: 1. You can stream it below by pressing the “Play button”: 2. You can download it locally by right clicking and selecting “Save As…” (or, this will play in your default music playing software: Terry Zink: Security Talk, Episode 2 3. You can listen to it on iTunes: https://itunes.apple.com/us/podcast/terry-zink-security-talk/id964400682#

Once again, I hope you enjoy it. If not, I’ll try to do better next time.

There may be some confusion about how Office 365, or Exchange Online Protection (EOP), does SPF checks on incoming email - especially in the case when Customer A sends email to Customer B and both parties are EOP customers. This applies to the case when the sending email account is from a separate mail server, not from a fully hosted mailbox within EOP.

Setting up connectors

Customers who use EOP for sending outbound email typically do it by setting up an Inbound On-premise Connector (that is, to send outbound email through EOP, you need to set up an inbound on-premise connector). For example, suppose CustomerA.com uses the IP 1.2.3.4 to relay outbound email through EOP, they might set up a connector like the following:

You would enter in your connecting IPs and any associated sender domains. I personally recommend adding actual domains and not putting wildcards like *.com, or at least *.customerA.com, because leaving it as a wildcard makes it more susceptible to phishing attacks.

Mail routing and SPF checks in EOP

When customer A sends an email to customer B through the IP 1.2.3.4, the email is relayed out through EOP, relayed back in to EOP, and then routed to customer B (Customer B may be fully hosted, or have an on-premise mailer, it doesn’t matter which). So, the mail loops out and around, like below:

Customer A needs to publish the following TXT record:

customerA.com. 3600 IN TXT "v=spf1 include:spf.protection.outlook.com ip4:1.2.3.4 -all"

• Customer A must addinclude:spf.protection.outlook.com because when the email goes out to the Internet (e.g., Gmail), or to another EOP customer, EOP or the 3rd party on the Internet (e.g., Gmail) looks to see if the connecting IP is in customerA.com’s SPF record. The connecting IP is EOP’s outbound IP.
  
  
• Customer A also must addip4:<on-premise IPs>into their SPF record because EOP does an SPF check at point (1) above when it scans the email when sending the message outbound. It then does a second SPF check at point (3) when the mail is relayed back into EOP.
  
  Typically, the on-premise IPs in the SPF record are the same ones that you would put into an inbound on-premise connector.

If you do the above, everything will work properly with regards to SPF.

Attribution of outbound email and SPF checks

EOP’s SPF checking for customer-to-customer mail is more complicated than the above.

If you relay outbound email from 1.2.3.4 and the sending domain (e.g., customerA.com) matches the domains you have set up in the connector, this is called an outbound attributed message and the message is attributed to your organization. When sending email from Customer A to Customer B, then at point (3) EOP will use the IP in EOP’s SPF record:

However, if you relay outbound email from 1.2.3.4 and the sending domain (e.g., random.com) does not match any domains you have set up in the connector, this is called an outbound unattributed message and the message is attributed to a default organization – not your own. When sending email from Customer A to Customer B, then at point (3) EOP will use the original sending IP address and not the connecting IP:

This is a change that was introduced in December 2014. It is done to combat phishing and spoofing.

This is most noticeable in two places:

1. When you send email from a subdomain that is not in your list of sender domains.
   
   For example, the inbound on-premise connector lists the domain customerA.com, but you send email from bounce.customerA.com, autoreply.customerA.com, and so forth. These will be unattributed messages and if sending to another EOP customer, the SPF check will use the original sending IP address. However, 3rd parties (e.g., Gmail) will use EOP’s relaying IP address.
   
   
2. When your on-premise mail servers sends bounces, auto-replies, or other messages with an empty 5321.MailFrom, <>.
   
   An empty SMTP MAIL FROM will always be an unattributed message. See the next section to see how EOP handles this.

Background

Spammers frequently forge the "From" address on email messages so the spam appears to come from a familiar sender such as your bank or social network, or more dangerously, from your own organization so that it looks like an internal sender. To help prevent this abuse, Exchange Online Protection (EOP) supports DMARC, a protocol that allows domain owners more control over how EOP treats spoofed emails containing their domain.

For example, if your organization is Contoso, with the domain contoso.com, a spammer may send a message like this:

From: “Contoso IT department” <IT@contoso.com>
Subject: Please reset your username and password

DMARC is designed to stop this sort of phishing to protect your users. To see how, check the end of this blog post for some examples.

However, while DMARC does stop phishing, it also means that some legitimate senders will need to update how they send email.

What should senders do?

* Sending outbound email through EOP

With few exceptions, all senders who relay outbound email through EOP (i.e., email originating from your own on-premise server or from your own mailbox hosted within EOP) should send email from domains you own and are provisioned as Accepted-Domains in the Exchange Admin Center, or explicitly listed in an inbound on-premise connector. It is not recommended that you send from domains that you have neither provisioned nor listed in an inbound connector.

* Emails sent on your behalf by others

Emails sent on your behalf by others, such as a bulk email service provider, should be properly set up to authenticate using SPF, DKIM, and DMARC. Failure to set this up will cause email to appear unauthenticated and may generate false positives, especially if the mail is sent to your domain and your domain is protected by EOP.

* Sending email on behalf of others

If you are sending email messages on behalf of a domain that you do not own that publishes a DMARC record with policy p=reject (for example, @yahoo.com, @aol.com, @paypal.com), your messages will be marked as spam when sending to another EOP tenant or may even be rejected due to failed authentication, both when sending to EOP and when sending to 3^rd party receivers.

There are common cases when this occurs:

• EOP customers that send email on behalf of other companies
• Services coordinating groups of people, like mailing lists, sports teams, online courses
• Websites where visitors may share with their friends via email, like news and shopping sites
• Other small business services, including business web portals and calendaring solutions, that send mail between customers and businesses
• ISPs and other mailbox services that allow their customers to send mail with addresses outside the service’s control
• Forwarding email into Office 365 and then subsequently redirecting it to another service

If you are sending on behalf of a business, what should you do?

Customers should send from domains that they control, therefore we recommend that you move to sending mail from their own domain.

From: “Example Sender” <example@contoso.com>
To: “Target Receiver” <recipient@fabrikam.com>
Subject: Test message

Another solution is to use the Reply-To field to direct replies to the address of the domain you do not control, but send from your own domain.

From: “Example Sender” <example-sender@contoso.com>
Reply-to: “Example Sender” <example-sender@outlook.com>
Subject: Sending on behalf of another

In the example above, your organization owns contoso.com but does not own outlook.com.

If you are a mailing list owner, what should you do?

For mailing lists, it is recommended to fill the From: line with the mailing list's address rather than the sender's and put the actual sender’s address into the Reply-To: line. This will change the reply behavior.
If your website provides the ability to share items in email, what should you do?

For website operators with 'share from email' functionality, use an email address from your own domain as the From: address and populate the Reply-To: line with the address of the person sharing.

For example:

From: “Example Sender” <noreply@sharing.example>
Reply-to: “Example Sender” <example-sender@outlook.com>

If you are an EOP customer and you get false positives due to DMARC, what should you do?

To determine if a message delivered to you is marked as spam due to DMARC, you will see the following in the message headers:

Authentication-results: protection.outlook.com; spf=pass
(sender IP is xx.xx.xx.xx) smtp.mailfrom=user@contoso.com
dkim=none (message not signed) header.d=none; dmarc=fail
action=quarantine header.from=contoso.com;

The action= will be either action=quarantine, action=oreject, or o.reject (the “o” means that the message failed DMARC with a policy of reject but EOP overrode the reject action and instead marked the message as spam). If you are receiving messages marked as spam because DMARC is failing, it is either because the message is sent by a spammer trying to impersonate a trusted brand, or it is sent from a legitimate sender but the domain in the header.from is not properly configured for DMARC.

To work around this:

1. Individual end users can add a safe sender for the sender which will deliver the message to the inbox, however, this may result in phishing messages getting through in the event that a spammer sends to a user, spoofing an email address on the user’s safe sender list.
   
   
2. Administrators can create an IP Allow for the sender which will deliver the message to the inbox. This may result in unwanted email getting delivered if the sending IP address also sends spam.
   
   
3. If the messages are failing DMARC but shouldn’t be, open up a support ticket with Office 365 providing examples of messages that are failing DMARC. 
   
   For regular business customers:
   https://support.office.com/en-us/article/Contact-Office-365-for-business-support-32a17ca7-6fa0-4870-8a8d-e25ba4ccfd4b?CorrelationId=c72141db-67a0-4417-a882-19a40408e252&ui=en-US&rs=en-US&ad=US

For Premier customers:
https://premier.microsoft.com/ or through your Technical Account Manager

The above guidance will help ensure that your domains are protected from spam and phishing, but at the same time ensure that you can receive email from the senders you want.

Related links:

• Customize an SPF record to validate outbound email sent from your domain https://technet.microsoft.com/en-us/library/dn789058(v=exchg.150).aspx
  
  
• Support for validation of DKIM signed messages
  https://technet.microsoft.com/en-us/library/dn720849(v=exchg.150).aspx
  
  
• How Office 365 does SPF checks for customer-to-customer mail
  http://blogs.msdn.com/b/tzink/archive/2015/02/26/how-office-365-does-spf-checks-for-customer-to-customer-mail.aspx
  
  
• How to use DMARC in Office 365
  http://blogs.msdn.com/b/tzink/archive/2014/12/03/using-dmarc-in-office-365.aspx

DMARC keeps phishing messages out of user’s inboxes by examining parts of a message and seeing if they are authenticated and aligned. If not, it checks the spoofed domain’s organizational policy for what action to take on the message. In other words, DMARC asks “What should I do with this message if it fails DMARC?”

DMARC does this by:

1. Checking to see if the message passes SPF or DKIM.
   
   
2. Checking to see if the message From: address (5322.From address) has a DMARC record.
   
   
3. If so, checks to see if the domain that passed SPF or the domain in the d= field in the DKIM signature aligns with (is equal to or is a subdomain of) the domain in the 5322.From address. If so, the message passes DMARC. If not, the message fails DMARC.

Here’s an example of a message passing DMARC:

Return-Path: <big_long_string>@bounces.amazon.com
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
  s=v52wzeq2nhi2ivaga2mkkcxigoeqeycs; d=amazon.com; t=1425394122;
  h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type;
  bh=<snip>
Authentication-Results: spf=pass (sender IP is 54.240.15.175)
 smtp.mailfrom=<big_long_string>@bounces.amazon.com;
 contoso.com; dkim=pass (signature was verified)
header.d=amazonses.com;contoso.com; dmarc=pass action=none
header.from=amazon.com;

From: “Amazon Local” <LocalDeals @ amazon.com>Subject: Adult Tennis Clinics | Online Game Design Training | and 3 more

In the above:

• The message passed SPF with the 5321.MailFrom domain bounces.amazon.com.
  
  
• The message passed DKIM with a d= domain of amazonses.com.
  
  
• The domain in the 5322.from is amazon.com with the following DMARC record:
  
  _dmarc.amazon.com. 900 IN TXT "v=DMARC1\; p=quarantine\; pct=100\; rua=mailto:dmarc-reports@bounces.amazon.com\; ruf=mailto:dmarc-reports@bounces.amazon.com"
  
  
• Because bounces.amazon.com passed SPF, and bounces.amazon.com is a subdomain of amazon.com, this message passes DMARC. The DKIM domain amazonses.com would not be enough to pass DMARC because amazonses.com does not align with amazon.com.

By contrast, here’s an example failing DMARC. It is very similar to the above except it comes from a phisher:

Return-Path: malicious@spamlink.com
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
  s=v52wzeq2nhi2ivaga2mkkcxigoeqeycs; d=amazon.spamlink.com; t=1425394122;
  h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type;
  bh=<snip>
Authentication-Results: spf=pass (sender IP is 54.240.15.175)
 smtp.mailfrom=<big_long_string>@spamlink.com;
 contoso.com; dkim=pass (signature was verified)
header.d=amazon.spamlink.com;contoso.com; dmarc=fail action=quarantine
header.from=amazon.com; 

From: Amazon Local <LocalDeals @ amazon.com>
Subject: Password reset – please login to your account within 24 hours

In the above, the message looks it came from Amazon but DMARC detected that it didn’t:

• The message passed SPF with the 5321.MailFrom domain spamlink.com.
  
  
• The message passed DKIM with a d= domain of amazon.spamlink.com.
  
  
• The domain in the 5322.from (header.from) is amazon.com with the following DMARC record:
  
  _dmarc.amazon.com. 900 IN TXT "v=DMARC1\; p=quarantine\; pct=100\; rua=mailto:dmarc-reports@bounces.amazon.com\; ruf=mailto:dmarc-reports@bounces.amazon.com"
  
  
• Even though spamlink.com passed SPF, and the domain in the d= signature spamlink.com passed DKIM, the message does not pass DMARC because amazon.com does not align with either of those domains.

This is good for users because it keeps phishing messages out of the inbox.

Background

One of the pieces of advice I frequently give these days to organizations is for domains to set up DMARC records, and implement a hard fail in their SPF record. This is straightforward for smaller organizations that know all of their email servers, but harder for large organizations.

Why?

Because in a large organization, there is usually no centralized person or department who is in charge of approving or organizing all 3rd party senders. For example, suppose Woodgrove Bank uses the domain @woodgrovebank.com and they are a customer of Office 365. They relay email through Office 365 from their own on-premise mail server so they set up an SPF record like this:

woodgrovebank.com. 3600 IN TXT "v=spf1 include:spf.protection.outlook.com ip4:1.2.3.4 ~all"

They publish a soft fail in the SPF record which tells 3rd party email receivers that if email with @woodgrovebank.com arrives outside of the IPs defined in this record, accept the message but mark it in some way which in practice means “accept the message.” For much of the Internet, a soft fail provides very little protection.

Why the resistance to publishing a stronger SPF record, like hard fail?

The reason organizations resist is because IT departments don’t want to lose legitimate email. For example, the mortgage department at Woodgrove Bank has contracted out a 3rd party bulk email providers (for example, SendGrid) to send out email notifications to their customers who have mortages with them. They send email this way:

Sending IP: 198.37.144.99 (SendGrid outbound IP)
SMTP MAIL FROM: mortgages@woodgrovebank.com
From: Woodgrove Bank Mortgages <mortgages@woodgrovebank.com>
Subject: Refinance rates have dropped below 4%

Another department, the anti-fraud department who does credit check monitoring for customers who want to pay for it, use a 3rd party hosting service like Windows Azure to do all of their analysis, and have set up a mail server to automate when they detect fraudulent activity. They send email like this:

Sending IP: 191.235.211.144 (Azure public IP)
SMTP MAIL FROM: antifraud@woodgrovebank.com
From: “Woodgrove Bank Fraud Notification” <antifraud@woodgrovebank.com>
Subject: We have detected suspicious activity on your account

Yet another department, the one that sends out notices that a customer’s monthly statement is available. They are located in Omaha, Nebraska whereas the main office is located in San Francisco. That team has set up a mail server in the Omaha building and sends email direct to the Internet, to banking customers where their statements are ready. They send email like this:

Sending IP: 2.3.4.5
SMTP MAIL FROM: statements@woodgrovebank.com
From: “Woodgrove Bank” <statements@woodgrovebank.com>
Subject: Your March statement is available

Nobody in the IT department is sure what else is going out to the world as @woodgrovebank.com, but they do know that if spam filters start blocking their email that it will negatively affect their business. At Microsoft, we get people pinging us all the time that their email is not getting through our filters (Hotmail/outlook.com and Office 365). Businesses are very sensitive to delivery.

You can see in the above examples that none of the sending IPs are in Woodgrove Bank’s SPF record. Each of them is failing SPF authentication but fortunately, since the SPF record says soft fail, 3rd party email receivers are still accepting the message.

Unfortunately, by publishing a soft fail, spammers and phishers can similarly send messages spoofing Woodgrove Bank. This has the following negative side effects:

• Woodgrove’s customers to lose their credentials and result in the phisher stealing money
• Woodgrove’s customers may inadvertently become part of a botnet by installing malware
• Woodgrove employees themselves may be spoofed by a spear phish because the phisher is impersonating an internal message sent by another employee.

This third category is the most damaging type of phishing message.

So, how should Woodgrove Bank set up SPF records to align with 3rd parties?

Here’s how to do it [1]:

1. Set up a designated subdomain and put 3rd party IPs into its SPF record

For 3rd party mail servers, designate a subdomain such as email.<domain>, messages.<domain>, etc. Put all 3rd party mail services in there that are not under the control of the organization and update the SPF record to hard fail. This includes bulk senders as well as third party hosting services. For example:

email.woodgrovebank.com. 3600 IN TXT "v=spf1 include:sendgrid.net ip4:191.235.211.144 -all"

Anyone who sends email from these third parties must send email with an SMTP MAIL FROM of @email.woodgrovebank.com and preferably a From: address of @email.woodgrovebank.com.

Sending IP: 198.37.144.99 (SendGrid outbound IP)
SMTP MAIL FROM: mortgages@email.woodgrovebank.com
From: Woodgrove Bank Mortgages <mortgages@email.woodgrovebank.com>
Subject: Refinance rates have dropped below 4%

Sending IP: 191.235.211.144 (Azure public IP)
SMTP MAIL FROM: antifraud@email.woodgrovebank.com
From: “Woodgrove Bank Fraud Notification” antifraud@email.woodgrovebank.com
Subject: We have detected suspicious activity on your account

Sending from a specified SMTP MAIL FROM requires coordination with the 3rd parties – you must tell them to send email this way. You must also co-ordinate with the other internal teams that have chosen to use 3rd party infrastructure to send email this way, too.

You don’t have to put everyone into the same subdomain. You can use two or three different subdomains.

2. Put all the IPs you control into your organizational domain SPF record

For email infrastructure IPs that the organization controls, and Office 365 IPs (if you use it to send outbound email), put them in the organizational domain’s SPF record and set the SPF record to hard fail:

woodgrovebank.com. 3600 IN TXT "v=spf1 include:spf.protection.outlook.com ip4:1.2.3.4 ip4:2.3.4.5 -all"

Anyone sending email from this infrastructure can send with the organizational domain:

Sending IP: 2.3.4.5 (IP controlled by Woodgrove Bank)
SMTP MAIL FROM: statements@woodgrovebank.com
From: “Woodgrove Bank” <statements@woodgrovebank.com>
Subject: Your March statement is available

Sending IP: 157.56.110.69 (Office 365 outbound IP)
SMTP MAIL FROM: joe.employee@woodgrovebank.com
From: “Joe Employee” <joe.employee@woodgrovebank.com>
Subject: Your March statement is available

3. Set up a DMARC record for the organizational domain

Setup DMARC records for woodgrovebank.com. If you’re not confident you’ve gotten all the sending mail servers inventoried, set up a less aggressive policy:

_dmarc.woodgrovebank.com.   3600    IN      TXT     "v=DMARC1; p=none; pct=100; rua=<…>; ruf=<…>; fo=1"

For the rua and ruf values, those are email addresses you would set up to receive DMARC feedback and aggregate reports. If you don’t want to sort through it yourself, there are some good companies out there who provide these services to help you authenticate and secure your brand.

If you’re confident you’ve gotten all the sending mail servers inventoried, set up a more aggressive policy. I would do this once you're confident all of your internal mail servers are covered by your SPF records, your 3rd party mail servers are covered by your delegated subdomain’s mail servers, and you sign your email with DKIM so that forwarded email from your domain survives forwarding.

_dmarc.woodgrovebank.com.   3600    IN      TXT     "v=DMARC1; p=reject; pct=100; rua=<…>; ruf=<…>; fo=1"

You can optionally ramp up slowly by playing around with the pct=xx value:

_dmarc.woodgrovebank.com.   3600    IN      TXT     "v=DMARC1; p=reject; pct=25; rua=<…>; ruf=<…>; fo=1"

You can also set up a DMARC record for the subdomain but it isn’t necessary unless you want it to have a different DMARC policy but that’s outside the scope of this article.

There is no additional co-ordination required with internal teams or 3rd parties. Messages coming from @woodgrovebank.com and @email.woodgrovebank.com will authenticate with SPF (and hopefully DKIM if you’ve set it up), and they will pass DMARC because you’ve already set up the delegated subdomain!

That means that the messages that come from you really do come from you – and any hacker that spoofs @your_domain will see their message rejected or marked as spam. It doesn’t matter if they spoof the SMTP MAIL FROM or the 5322.From: address. You can keep your business’s customers safe and you can keep your own internal infrastructure safe.

That is a great benefit of DMARC.

4. Add more IPs to the designated SPF records as required

Once you’ve set up SPF hard fail and DMARC reject records, no one will be able to spoof your domain unless there is a manual override like a safe sender at the receiving end. But what happens if another internal team spins up a mail server and starts sending email?

It will not get delivered.

They will then have to come to you (i.e., your IT department) and ask why their mail is not getting delivered. You can then add their IP to the SPF record if from an internal server, or to the delegated subdomain if 3rd party, and then it will work.

There’s a little bit of ramp up time but it works. And, it keeps your domain secure.

* * * * * * * * * * * * * * *

That brings us to the end of how to align your organization to properly authenticate and send email so it is secure, but also ensuring that the email you need to get delivered does actually get delivered.

I hope you find it useful.

Related links:

• Best practices for Exchange Online customers to align with DMARC
  http://blogs.msdn.com/b/tzink/archive/2015/03/03/best-practices-for-exchange-online-protection-customers-to-align-with-dmarc.aspx
  
  
• How to use DMARC in Office 365
  http://blogs.msdn.com/b/tzink/archive/2014/12/03/using-dmarc-in-office-365.aspx
  
  
• Customize an SPF record to validate outbound email sent from your domain
  https://technet.microsoft.com/en-us/library/dn789058(v=exchg.150).aspx
  
  
• How Office 365 does SPF checks for customer-to-customer mail
  http://blogs.msdn.com/b/tzink/archive/2015/02/26/how-office-365-does-spf-checks-for-customer-to-customer-mail.aspx
  
  
• Support for validation of DKIM signed messages
https://technet.microsoft.com/en-us/library/dn720849(v=exchg.150).aspx

This podcast is episode 3 of the Terry Zink: Security Talk podcast – The psychology of spamming.  It is a podcast version based on a presentation I did at the Virus Bulletin 2010 conference in Vancouver, and also a series of blog posts I wrote on it.

Or, you can stream it below by pressing the “Play” button (this will autoplay no matter what in the Chrome browser unless you’ve disabled that option in your settings, Internet Explorer and Firefox do not autoplay).

This podcast is episode 4 of the Terry Zink: Security Talk podcast. It’s based upon a blog post I wrote 15 months ago.

Or, you can stream it below by pressing the “Play” button (this will autoplay no matter what in the Chrome browser unless you’ve disabled that option in your settings, Internet Explorer and Firefox do not autoplay).

Exchange Online Protection (EOP), aka Office 365, is going to be making a small change to its behavior for inbound anonymous (i.e., not sent over TLS) email sent over IPv6. Luckily, for customers with IPv6 enabled, no action is required.

Currently, we require the following for senders over IPv6:

1. The sending IPv6 address must have a PTR record. If it does not, the service will reject the message with the permanent reject error:
   
   550 5.7.25 Service unavailable, sending IPv6 address [$SenderIPAddress] must have reverse DNS record.
   
   
2. The sending email must pass SPF or DKIM verification. If it does not, the service will reject the message with the permanent reject error:
   
   554 5.7.26 Service unavailable, message sent over IPv6 must pass either SPF or DKIM validation.

The change we are making is regarding #2. Starting April 24, 2015, if a message does not pass SPF or DKIM, the service will reject with the following temporary reject error:

450 4.7.26 Service unavailable, message sent over IPv6 must pass either SPF or DKIM validation.

In other words the 550 becomes 450, and 5.7.26 becomes 4.7.26. If a sender sends a message over IPv6 that doesn’t pass SPF or DKIM, rather than failing because of the 5xx reject, it should retry at the next available MX record which is IPv4. That is, for a customer like contoso.com who has enabled receiving email over IPv6, their MX record looks like the following:

contoso.com.        3599    IN    MX    5 contoso-com.mail.protection.outlook.com.

Which resolves to:

contoso-com.mail.protection.outlook.com. 9 IN    A 207.46.163.138
contoso-com.mail.protection.outlook.com. 9 IN    A 207.46.163.215
contoso-com.mail.protection.outlook.com. 9 IN    A 207.46.163.170
contoso-com.mail.protection.outlook.com. 9 IN    AAAA 2a01:111:f400:7c10::1:10
contoso-com.mail.protection.outlook.com. 9 IN    AAAA 2a01:111:f400:7c09::11
contoso-com.mail.protection.outlook.com. 9 IN    AAAA 2a01:111:f400:7c10::10

A sending mail server that is dual stack (sends over IPv4 and IPv6) will try the AAAA-records first and will bounce the message if it doesn’t send with SPF or DKIM passing. When it receives the 4xx, it will  retry (that is, it will if its RFC-compliant and is properly configured). When it next finds the A-record (IPv4), it will not be rejected since SPF or DKIM is not required for IPv4, although we encourage all senders to authenticate their email.

IPv6 still requires the same conditions above, however, the new implementation now allows for automatic failover at the sending MTA level instead of issuing a hard bounce and prompting the domain administrator to set up SPF or DKIM.

• Support for anonymous inbound email over IPv6
  http://blogs.msdn.com/b/tzink/archive/2014/10/28/support-for-anonymous-inbound-email-over-ipv6-in-office-365.aspx
  
  
• A workaround for receivers over IPv6 who receive unauthenticated email (this workaround is now less useful now that we have done the change above)
• http://blogs.msdn.com/b/tzink/archive/2014/12/06/a-workaround-for-receivers-who-want-anonymous-inbound-email-over-ipv6-but-receive-a-lot-of-unauthenticated-email.aspx
  
  
• How to create Allow rules for senders in Office 365 over IPv6
  http://blogs.msdn.com/b/tzink/archive/2014/10/28/how-to-create-allow-rules-in-office-365-for-senders-over-ipv6-and-also-for-ipv4.aspx

If you’ve talked to me in person over the past few months, you may have heard me talk about this. But if not, I’ll talk about it in this blog post and what it means.

Some background

Exchange Online Protection (EOP), the mail filtering branch of Office 365 (I use the terms interchangeably) is the email-for-enterprise part of Microsoft. EOP originally started off as Frontbridge Technologies, based out of Los Angeles. It was acquired by Microsoft in 2005 and was renamed a few times, most recently as Forefront Online Protection for Exchange (FOPE). All of the backend infrastructure of FOPE has been retired and EOP is entirely built on a different platform.

Hotmail was acquired by Microsoft in the 1990’s and a couple of years ago was rechristened as outlook.com, which I will heretofore refer to as “consumer”. It ran on a different filtering stack, and email filtering technology, than EOP/FOPE. We shared some technology but not that much as the email in consumer is different than the email in enterprise. Furthermore, the architectural differences between the two made sharing technologies difficult even if we wanted to share. While we negotiated third party vendor contracts as a company, we each implemented them differently.

Over the past several months, the two teams merged – Hotmail and EOP together at last. That’s all well and good, the two teams are together. But what next?

The way forward

The next step is to merge the two platforms. I would argue that Hotmail’s spam filter technology is more advanced than EOP’s (but not in all aspects) but that EOP’s backend platform is more advanced than Hotmail’s (although not necessarily in all aspects). For example, Hotmail only started supporting TLS in either 2013 or 2014 but FOPE/EOP has supported it for at least a decade. Furthermore, the mailbox infrastructure in EOP is more suitable for redundancy, failover, and message tracing.

So, starting six months ago and continuing into the foreseeable future, Hotmail is moving onto the EOP infrastructure and it is an absolutely massive undertaking. We have to ensure all of the features that we available in Hotmail are supported in EOP – that includes MTA, spam filter, and web UX – and then we have to ensure that EOP is properly equipped to handle a 5x (?) increase in load. EOP’s infrastructure is “heavier” than Hotmail’s because the requirements for enterprise (i.e., redundancy, queuing) are more demanding.

Some challenges

Hotmail is also a different customer than any other tenant in EOP. One of EOP’s strengths is its geolocale feature – customers are provisioned in a particular geo-region. If you’re based in North America, all of your email flows through data centers in North America. If you’re based in Europe, all of your email flows through Europe.

However, Hotmail has a global footprint. That means that a single customer has to span every single geo-region. We don’t have any customers like that currently.

One of the big benefits for Hotmail/outlook.com users is that if they are both users of that service and then for Office 365, they get the same platform and look-and-feel in both. The UX is the same, and they integrate a lot better. You can move from one to the other without having to relearn a bunch of things.

In addition, antispam technologies that work in one can move to the other since the backend is the same. Because the pipes that plug into both are both now hooked up to each other (sort of; it’s not quite this simple) we can leverage technology between the two a lot better. The two services probably won’t use the same filter, but each will have parts in common.

The drawback of migration is that it means we have to devote a lot of time and resources towards migrating users, and this results in opportunity cost of not being able to do new features that can help improve the overall customer experience. Having been through two (!) rewrites already before this, that’s frustrating for me. But in the end, having two services running on different stacks is unsupportable.

What I’m working on that relates to this

Unlike many other members of my team, I am peripherally involved in the migration of Hotmail-to-EOP. The biggest ones I am doing:

1. The Safety UX
   
   Hotmail has a green shield for senders who are heavily spoofed but authenticate, but Outlook Web Access (OWA) does not. I’m working on overhauling the safety experience in OWA so that users can know why a message is marked up the way it is, and then carry over this experience to enterprise and not only in consumer.
   
   
   
2. Backscatter protection with Boomerang
   
   You’ve heard me talk about Backscatter protection with Boomerang before. We just released it enterprise, and it’s a necessary component before migrating consumer mailboxes.
   
   
   
3. DKIM and DMARC
   
   EOP already supports inbound DKIM verification, but so does outlook.com. EOP supports DMARC and so does outlook.com, but EOP does it a little differently (I have other blog posts that explain the difference). However, EOP has yet to turn on DMARC reports, we have to fix a couple of items in the Exchange MTA before we do. Then we will be at parity with Hotmail.
   
   But even more than that, EOP is currently working on DKIM-signing (it’s on our public roadmap). Eventually, when Hotmail moves over to EOP I’d like to get it to start signing with DKIM. That will be an improvement to the Hotmail service, rather than a simple migration.
   
   People sometimes ask me “Does Hotmail plan to create a DMARC record with p=reject the same way that Yahoo and AOL do?”
   
   My response is non-committal. Before we can look at that, we need to get the fix in Exchange completed to preserve message content. We can deploy this fix in Office 365, but we also need to push it to various versions of on-premise Exchange server; what versions do we push it to? How much uptake is enough? Next, we need to sign all mail in Hotmail with DKIM which means we have to migrate the entire user base of Hotmail over to EOP. Then, we have to measure and assess the potential impact.
   
   So before I can even answer the question, I need to know what will happen if we do and then do a cost/benefit analysis and as you can see, it’s a long path forward.

So, that’s part of what’s happening with Office 365 and outlook.com right now. It’s not everything that’s going on with the service but it is a big part of it.

A few weeks ago, we rolled out NDR backscatter protection with Boomerang for hosted mailboxes in Office 365, and that change is going live this week for customers with on-premise mail servers.

Next up is a feature that builds on top of Boomerang – NDR backscatter storm prevention.

What is an NDR backscatter storm?

Well, normally when a spammer spoofs you and sends a message elsewhere on the Internet, and that elsewhere bounces the message back to you, that’s backscatter. If a single message or two lands in your inbox, that’s annoying.

However, if a spammer spoofs you and sends 10,000 messages as you and all of them bounce back and land in your inbox, that’s not just annoying – it renders your email inbox unusable because all of the NDRs overwhelm the rest of the messages. You can’t find anything. It also slows down your mailbox because of the high volume of messages in there. It’s a situation some people within Microsoft experienced a few weeks ago.

Now that we have Boomerang protection, these types of NDR backscatter messages will get marked as spam. That helps keep your inbox clean but it fills up your junk mail folder or spam quarantine. That, too, can slow down your mailbox or make it difficult to look through for an actual message you may have missed. It’s a Denial-of-service attack on a human; a machine can handle that load of messages but a human cannot.

Where NDR backscatter storm prevention helps is that it can automatically detect if you’re getting a storm of backscatter messages within a short period of time. If so, the first 10 messages get marked as spam but the rest of the storm is deleted. It neither lands in your inbox nor your junk folder (or spam quarantine), the messages are dropped. You can tell when this happens because you’ll see a bunch of NDRs in your junk folder that are all identical. But those NDRs represent only a fraction of what would have hit you. The service has gotten in the way and prevented further delivery.

Image taken from here.

The deleted messages still show up in a message trace with the action that the service took, so you can still see what happened to them. That is, there is still visibility into these types of messages and the route after they were accepted by the service.

This scenario is definitely a corner-case. The number of people this affects is small – it’s only likely to happen with a mail bomb where someone gets mad at someone else and spoofs their email address in an attempt to DOS them with NDRs [1]. But when it happens, it’s frustrating to the person it’s happening to.

And now [2] we have protection for it.

[1] While adaptable for other cases of mail bomb campaigns, the feature right now is only addressing NDR backscatter attacks.

[2] By “now”, I mean we are in the process of rolling it out and should be available by the end of May 2015.

If you’ve talked to me in person over the past few months, you may have heard me talk about this. But if not, I’ll talk about it in this blog post and what it means.

Some background

Exchange Online Protection (EOP), the mail filtering branch of Office 365 (I use the terms interchangeably) is the email-for-enterprise part of Microsoft. EOP originally started off as Frontbridge Technologies, based out of Los Angeles. It was acquired by Microsoft in 2005 and was renamed a few times, most recently as Forefront Online Protection for Exchange (FOPE). All of the backend infrastructure of FOPE has been retired and EOP is entirely built on a different platform.

Hotmail was acquired by Microsoft in the 1990’s and a couple of years ago was rechristened as outlook.com, which I will heretofore refer to as “consumer”. It ran on a different filtering stack, and email filtering technology, than EOP/FOPE. We shared some technology but not that much as the email in consumer is different than the email in enterprise. Furthermore, the architectural differences between the two made sharing technologies difficult even if we wanted to share. While we negotiated third party vendor contracts as a company, we each implemented them differently.

Over the past several months, the two teams merged – outlook.com and EOP together at last. That’s all well and good, the two teams are together. But what next?

The way forward

The biggest advantage of bringing the two teams together is combining technologies where it makes sense. Techniques that work in one can move to the other; the two services probably won’t use the same filter, but each will have parts in common. Outlook.com’s email profile is not the same as Office 365 – consumer email is different than enterprise email and therefore what works in one may not work in the other. Techniques apply but perhaps not at the same level of aggressiveness.

One example is DMARC. In outlook.com, it follows the DMARC spec by rejecting messages that fail if the sending domain has p=reject. However, Office 365 marks it as junk and sets the phishing confidence level to 9, and then lets the Outlook mail client disable links, attachments, and Reply/Reply All.

What I’m working on that relates to this

So where do I fit into all this? The biggest pieces I am doing:

1. The Safety UX
   
   Outlook.com has a green shield for senders who are heavily spoofed but authenticate, but Outlook Web Access (OWA) does not. I’m working on overhauling the safety experience in OWA so that users can know why a message is marked up the way it is, and then carry over this experience to enterprise and not only in consumer.
   
   
2. Backscatter protection with Boomerang
   
   You’ve heard me talk about Backscatter protection with Boomerang before. We just released it enterprise, and it’s a necessary component before migrating consumer mailboxes.
   
   
3. DKIM and DMARC
   
   EOP already supports inbound DKIM verification, but so does outlook.com. EOP supports DMARC and so does outlook.com, but EOP does it a little differently (I have other blog posts that explain the difference). However, EOP has yet to turn on DMARC reports, we have to fix a couple of items in the Exchange MTA before we do.
   Then we will be at parity with outlook.com.
   
   But even more than that, EOP is currently working on DKIM-signing (it’s on our public roadmap). Eventually, when outlook.com moves over to EOP I’d like to get it to start signing with DKIM. That will be an improvement to the Hotmail service, rather than a simple migration.
   
   People sometimes ask me “Does outlook.com (or Hotmail) plan to create a DMARC record with p=reject the same way that Yahoo and AOL do?”
   
   My response is non-committal. Before we can look at that, we need to get the fix in Exchange completed to preserve message content. We can deploy this fix in Office 365, but we also need to push it to various versions of on-premise Exchange server; what versions do we push it to? How much uptake is enough? Next, we need to sign all mail in Hotmail with DKIM which means we have to migrate the entire user base of Hotmail over to EOP. Then, we have to measure and assess the potential impact.
   So before I can even answer the question, I need to know what will happen if we do and then do a cost/benefit analysis and as you can see, it’s a long path forward.

So, that’s part of what’s happening with Office 365 and outlook.com right now. It’s not everything that’s going on with the service but it is a big part of it.

If you’re a customer of Office 365, you know that you’ve been protected by DMARC for the past several months. But you may have a question if you look at the email headers. What is this dmarc=bestguesspass that is sometimes seen in the Authentication-Results headers?

Maybe something like this:

From: Joe User <joe@contoso.com>
Authentication-Results: spf=pass (sender IP is 1.2.3.4)  
  smtp.mailfrom=example.com; dkim=pass (signature was verified)
  header.d=example.com; dmarc=bestguesspass action=none 
  header.from=example.com;

What is this and what does it mean? The DMARC best guess pass is unique to Exchange Online Protection. It means that the domain in the From: address does not have a DMARC record but it would have passed DMARC if it did. This is only for the case where it would have passed DMARC, there is nothing for the negative case where it would have failed.

In this case, example.com passed SPF and DKIM and has no DMARC record, but you can see that the From: domain contoso.com aligns with both the SPF and DKIM verified domains (it only needs to align with one of those, just like regular DMARC).

It doesn’t mean that example.com is a good sender or a bad sender, it just means that what shows up in the From: address in your mail client aligns with the domain that was verified. I like to think of it as “This domain is doing the right things. When does it plan to set up DMARC for real?”

It can be useful for creating Transport rules to allow email from a domain. Rather than allowing a sender of example.com, you might create a Transport rule that looks for the Authentication-Results header with the text dmarc=bestguesspass action=none header.from=example.com. In this way, you know you are always trusting the domain rather than a spoofed domain. You can also create a rule that looks for just the normal DMARC result dmarc=pass action=none header.from=example.com.

Not every domain publishes DMARC records. For the ones that don’t but would align with a domain that authenticates, this result will let you know.

Related links:

• How to use DMARC in Office 365
  http://blogs.msdn.com/b/tzink/archive/2014/12/03/using-dmarc-in-office-365.aspx
  
  
• Best practices for Exchange Online customers to align with DMARC
  http://blogs.msdn.com/b/tzink/archive/2015/03/03/best-practices-for-exchange-online-protection-customers-to-align-with-dmarc.aspx
  
  
• How to align with SPF and DMARC for your domain if you use a lot of 3rd parties to send email as you
  http://blogs.msdn.com/b/tzink/archive/2015/03/13/how-to-align-with-spf-and-dmarc-for-your-domain-if-you-use-a-lot-of-3rd-parties-to-send-email-as-you.aspx