Share via

Office 365 - open spam relay (if sent to any 365 recipient)

Anonymous
2017-08-16T20:23:12+00:00

Whilst testing/diagnosing a new connector for one of my customers, I've found that 365 is working as an open relay!?!  eh?!

Using the SMTP admin tool https://www.adminkit.net/smtp_diag_tool.aspx from a "real" IP address (e.g. not blacklisted) - I've found I can send emails off 365 to anyone who has a 365 account

e.g. server:  xxxxxx-co-uk.mail.protection.outlook.com    port=25   no authentication 

from address - anything

, to address, anything AS LONG AS HOSTED ON 365.  Any tenancy. (e.g. ******@gmail.com won't work, but ******@mydomain.com will work)  the domain of the person to does not need to match the SMTP server.

and this tool sends the email!  (OK may be flagged as spam, but 365 should not relay it at all!)

If sending from ******@365domain.com this DOES NOT appear in their email trace - but appears if it was sent by them by the person you put

Adding a connector for the sending IP to my customer tenancy, then sending again, same details, then this DOES appear in the email trace (and gets the signature applied)

So I know what I'm doing, and with the connector it works fine and as expected.  But without any connector the email still gets sent, and does not appear in any tenant logs.

In other words, 365 is accepting and relaying everything it is asked to any 365 user - and only going "via" your 365 trace if the connector is there for your IP.  But without the connector, it still gets sent.

So it is, in effect, an open relay (!)  albeit only if recipient  is on 365 somewhere.

log:-

(sending using the test tool, as 365 as the SMTP for 365 as a host for any hosted domain (eg xxxxxx-co-uk.mail.protection.outlook.com    ).  No authentication

IPs and emails changed, but you get the idea. 

THIS SENDING ADDRESS IS NOT ON ANY CONNECTION ON 365 (as far as I am aware!)

Received: from AM4PR0401MB1857.eurprd04.prod.outlook.com (10.165.245.20) by

 VI1PR0401MB1870.eurprd04.prod.outlook.com (10.165.235.24) with Microsoft SMTP

 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id

 15.1.1341.21 via Mailbox Transport; Wed, 16 Aug 2017 19:57:44 +0000

Received: from DB6PR04CA0032.eurprd04.prod.outlook.com (2603:10a6:6::45) by

 AM4PR0401MB1857.eurprd04.prod.outlook.com (2a01:111:e400:7a71::20) with

 Microsoft SMTP Server (version=TLS1_2,

 cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1341.21; Wed, 16

 Aug 2017 19:57:43 +0000

Received: from LO2GBR01FT003.eop-gbr01.prod.protection.outlook.com

 (2a01:111:f400:7e15::209) by DB6PR04CA0032.outlook.office365.com

 (2603:10a6:6::45) with Microsoft SMTP Server (version=TLS1_2,

 cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1341.21 via

 Frontend Transport; Wed, 16 Aug 2017 19:57:43 +0000

Authentication-Results: spf=none (sender IP is xxx.xxx.xxx.xxx )

 smtp.mailfrom=testdzfsdfsd.com; mydomain.com; dkim=none (message not

 signed) header.d=none;mydomain.com; dmarc=none action=none

 header.from=testdzfsdfsd.com;

Received-SPF: None (protection.outlook.com: testdzfsdfsd.com does not

 designate permitted sender hosts)

Received: from mycomputer (xxx.xxx.xxx.xxx) by

 LO2GBR01FT003.mail.protection.outlook.com (10.152.42.89) with Microsoft SMTP

 Server id 15.1.1341.23 via Frontend Transport; Wed, 16 Aug 2017 19:57:42

 +0000

To: <******@mydomain.com>

From: <******@testdzfsdfsd.com>

Subject: X-SPAM:   test 6

Date: Wed, 16 Aug 2017 20:57:25 +0100

Message-ID: <******@testdzfsdfsd.com>

MIME-Version: 1.0

Content-Type: multipart/alternative; boundary="boundarycQjH8w=="

Return-Path: ******@testdzfsdfsd.com

X-MS-Exchange-Organization-Network-Message-Id: 1fa5950e-cf2e-4ca8-1afe-08d4e4e10e87

X-EOPAttributedMessage: 0

X-EOPTenantAttributedMessage: 97f261a3-f1ad-4a6c-a4f9-8c0304414650:0

X-MS-Exchange-Organization-MessageDirectionality: Incoming

X-Forefront-Antispam-Report: CIP:xxx.xxx.xxx.xxx;IPV:NLI;CTRY:GB;EFV:NLI;SFV:SPM;SFS:(6009001)(8156002)(2970300002)(428002)(189002)(199003)(52294003)(26956009)(189998001)(2876002)(50986999)(54356999)(101416001)(5002050100002)(626005)(2160300002)(25786009)(43003)(86152003)(81156014)(55920200001)(8676002)(55930200001)(81166006)(105586002)(356003)(36756003)(108616004)(2351001)(305945005)(1096003)(564344004)(33646002)(84326002)(6486002)(106466001)(5660300001)(4001070100004)(57986006)(6666003)(6916009)(24736003)(86362001)(5000100001)(7116003)(110136004)(6496005)(5002560100006)(62442003)(17256005)(3346004);DIR:INB;SFP:;SCL:5;SRVR:AM4PR0401MB1857;H:lshpmpro;FPR:;SPF:None;PTR:213-162-123-69.imshan327.adsl.metronet.co.uk;MX:0;A:0;CAT:SPM;LANG:en;

X-Microsoft-Exchange-Diagnostics: 1;LO2GBR01FT003;1:2Xhmn5AX7IzsumR80TB6+aNKABR6a2D9aYgfLDsa97WQ+sMIY38t3MbHwM5DF3aa24adN0YInbVj9OAV5A28mli/tdYBPedwTU6dP2OY4Pzuk5Hq5w3aK87Ul4SZbqMe

X-MS-PublicTrafficType: Email

X-MS-Office365-Filtering-Correlation-Id: 1fa5950e-cf2e-4ca8-1afe-08d4e4e10e87

X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(23075)(300000503095)(300135400095)(71702078)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095);SRVR:AM4PR0401MB1857;

X-Microsoft-Exchange-Diagnostics: 1;AM4PR0401MB1857;3:bg5Hb0GlqTNa3mwXZYhs//jN4JPS9gB/O2BKqTgWexbZlWir0S8FyGHs/REQyrzAYjzrGhBNESUvLZVNC8JLDMQGU8/rrle3XdtHRacIFHFNAMbZkUtPdgPQ8EJ64K44zTSJ1y7/KGxMbcI0okl6tnQvxJdaemX9K7L484xuYrVE4HMHg6ufiCH80o8QMCR76zJ9ESSXqm8ZB3Tu9l+IIqc+ZWmqivwMQ/+zdS29d3N7EQ/MhbOBl+xU4e/WKSAuqmvem/vXzF/dFU7kk13UyFimoVdRBZeUX+Y0TK+yPY92AG4dChcMOhjY7630SZNbsmOb5xZQoPGM3KDrHcAK9qR1xnxAWuodKyNppylETQc=;25:i36wbJPSlEbK0Rmn+oBnC+JZjQXayinb5+HkHx5t33cjSOsQ8PlI8qMGM9F0V+t/VmfRXzvEraHGX7M0MlWDeiufl21MtGGFAmVJ0ca1/DwzS5bvDJlLWXQAcjO8zFNypQ0hSMu1/NuJFUx4QG4FfiOoGz9i7/Ul+WSl0l3kBba5Agbm4IoKwIxeKGkRLuyrafpinv2YZCt1l2HymzGhKwaaTAlwnggoxq13zoBWt48bnZb4XuTTs1zsGHJ6g94TSxNDJ1jk1yVJSQIe4gdDy2jUJtQaDdG6dh/+ALETAgAPFmQG/Ey5O/22ZSl8ipjsIX11zpKxmVhHCajB1+JRRg==

X-MS-TrafficTypeDiagnostic: AM4PR0401MB1857:|AM4PR0401MB1857:

X-Microsoft-Exchange-Diagnostics: 1;AM4PR0401MB1857;31:k7lKaT9+BnkBfqyPkJPcUIHqmnvTkyYd+9DmmA7Yg2rL7nSKL6WPTLKbPirzBgEzaBCNzKppnZPCq33aTmzHoqyhsxXYuaccKSBST19nAgkiExjoSaY1td8bu3B06K24FjZGXIu8OWH0t1RhcH6MTYEQ01owzQ1Y842dRaikrHzi0W/j8egyQguXLad0Nz3sQWbvB3DJxFWFvIaHEgjxek25pxUthmlXqLtvI6iIzJc=;4:aSsVbF8WCAV4bpDZ1CdbVSgiSn9bYYVd8TB92w0y+PCu7QbyAeFQ9unoJMNFrupIxHe3ORLACPXtknzygLUMxsY8eHUN5U/agPx+Oeh+K7MdJ6zgZ+e+M7CBg5QrGNnLbffi78CBrQW6ZcOPqjzIFhc000Y5ZsUZklYPzUkRwmOXfO/6FfQZZbbvGYehx4l0alpKpQgKGYInSXZIcID5Z+SHAZcGI/igR/7LX/tcU2T6LjhjEsrarNe5CNhKHyjP

X-Exchange-Antispam-Report-Test: UriScan:;

X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(601004)(2401047)(13018025)(8121501046)(13016025)(9101536074)(3002001)(93006095)(93001095)(100000703101)(100105400095)(10201501046)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095);SRVR:AM4PR0401MB1857;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:AM4PR0401MB1857;

X-MS-Exchange-Organization-SCL: 5

X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1;AM4PR0401MB1857;23:GQyDJUqGsyqhoxrPk+iBOz+IldqmSdIptiOtsmN?=

 =?us-ascii?Q?AEN/2uIWEquelRUCfC6LGjfOSnO2Zadr/NMYblpErlC/Ki9uBkjUWyaW+yZU?=

 =?us-ascii?Q?NoHM2uz4Bd/mWVSkKSWFDnYXfLpDWG1OPssjOZ/1nJykz8FuQYERaYqYhKk3?=

 =?us-ascii?Q?WgpqTpc6Pd12vpFC3x4ghwnW1Fcgk6473wmDu7EdK2Ux6VreXJrj8zVoE1FI?=

 =?us-ascii?Q?TOBgkzZVpht5mm/rxBovIhX89PR2NzFweHKbWyoBuLt+wpoxlqpiTsNmfFPe?=

 =?us-ascii?Q?A+6F1H77EJ7sLbWt+n3J2jsWnAJGcdla+jWSAijLwfVn30f4RgWbrWD23EOG?=

 =?us-ascii?Q?rMJyKl/RhcCceVL46dzl3327FLDk+w50OBxMDc2x5XJa0K1+2LLxeqE36Frq?=

 =?us-ascii?Q?7GHt+GKYJhGbJEtezCo2Q7XB28oo1QF2BMUg3e8P/TU9Dc9vvLgoaVN3hPVQ?=

 =?us-ascii?Q?rNqcmfO7aIkB3ggxy23UG3f9dV0QYFJctZO+LMhbpvDU1dBKaQyNnTCFj1Ez?=

 =?us-ascii?Q?Fm7/sqeoLSk6bz2lUjlzfPM7w9BeZT8zzEG5bCaLlljMfCZnRhhr248R/hLJ?=

 =?us-ascii?Q?2TjFkCzelBLgEsJkV6YQ165lru77LcAHiXJbnfvecM9DcyRJ+77A/VOc2Hyg?=

 =?us-ascii?Q?dDooXdqrc+I5dYMAyDUVJ0H4l/FThUfurLyu34zR1K0Ev+mZeXUC9ReqfE55?=

 =?us-ascii?Q?bGdUNBKAQd4LCWmzAxDll6NZafKyie+LLZi22pnLgvzID4Vq/JQ0aq5QyrqL?=

 =?us-ascii?Q?A0S0WNzcw0j5JxSVqfnmo3/2D44MazIJgAjlpB1rLVRkxT82I/WeH45O/+k3?=

 =?us-ascii?Q?pkn67JMThtVTE5H6cGRqB/Xx85pYj9EDE4ay3viigrZRJShja0N8rJsINmiv?=

 =?us-ascii?Q?5iJNyA/Pld+mWo9WQksfX8BJXcwXwkORNM+NGIheU2rEcYc9IU0rIwYs27EB?=

 =?us-ascii?Q?nQgRjpMd25qYdzx5k1IjBkTPhuCRujJeTF6bAZVRRh0PtP8s/9Htw8NDwM3K?=

 =?us-ascii?Q?VUaviC6gfoIxuuAPzFT7jD8QIZB0XJjf0dRgm+xqVG0dhjnWLuEKmWgHgrnr?=

 =?us-ascii?Q?0+pnbpbxEdMzTq4a2/jwrxz60cgUdPpsg1KzkU7+T5XCoz0lXeyJkdD921yj?=

 =?us-ascii?Q?fcIY1Z9W4aeeh2JSiLbQZsWNSlTcjQx4vC57hNKQLPgsdErG7NssHcAJumOU?=

 =?us-ascii?Q?mkvGr3F3pSdoJKeDM5rtLoYCHh8TCiSPmCXG+faFJ3IZ59G/YCV4J5HJykqZ?=

 =?us-ascii?Q?xSHPWkiN1gpjLg1X+QpEL4Mx2gddmhsBVBbpj8pCN?=

X-Microsoft-Exchange-Diagnostics: 1;AM4PR0401MB1857;6:4Y/6nZpnleFtzdotFtOE4yWF4LPpoVPmc3BN2SdKEdg/rAJiW2qJMQnRCXEpC5xglVhyIgI+AQ35anGM4+sXaymD1kp0VXC2A8lcO5CMsHtVNq9HE4WYx3MTVqOYTdyYRZA6McwiQQ/HjBf9GGgZhFApYshu4Yu4rPX+qeENJOlMvC2WeXn85mxPDMoIkqFz8N4+0jXQcqBRySTG3ocsgBAreDvJwFTJhnCzdMjgkQeImNC+N2TFNHvGndzRpbFokpS+bqC5xpb1UkeyE5RD/8s3Nk0IclO9P29TX4ok7T0YjY2U+fL3yPbEiT5oWbs0DLdAt/dPHLo+RHOlsnw6fJtsLZLkBGA0zOwuYx56lfXp+zKT95IejlPF5h1XN7lo;5:/UlY0ISzBZ2lQq3x7XKkbD0NNEwuxaHEcyq6shKkImrj5o6+ctE8mYoV1hfTCxf1x7aSufeZ+jMFowJzXQhF+1x1iDsnFEOMzLLAYci3B29uSdxx5gp7lQbukAHh9VR9isM1gV34coVqfY82tgTKkw==;24:deRTKfnyxvE1xw1i4P/jrvuygjoKOvz4gDeyQ8t5q9IEJ16tg3Z9Lx5kguw10H+7IWsM8i2D/5ErCUFZKIy3rw==;7:kH+eZAwhYcm4KJkbrIcAIBy9VKrVyyFnK5UDlGVfmpsmVdNTM/BHpu1N2VyOsw9HEx+KMy6hFEyid7E52Z8Iar6sgpaybyiRNaA7G1mDmuDrcBjz/XSX1EUdg0l0Vzf3Vcpy2YSeNvx+FIAcBc6PaWKYUO1Nv/HXBcxjZ9AU94AxFy7TIzqsR/l+uZRs7Zc413nq09LzvPediUR/7fLyPYBNogI2yBu1agoC+rwo1KoB7PH8Clim63qi1KHIveHIUOFIQWFVsffiBsgiRs7C8g==

SpamDiagnosticOutput: 1:22

SpamDiagnosticMetadata: Default

X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Aug 2017 19:57:42.6404

 (UTC)

X-MS-Exchange-CrossTenant-Id: 97f261a3-f1ad-4a6c-a4f9-8c0304414650

X-MS-Exchange-CrossTenant-FromEntityHeader: Internet

X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR0401MB1857

X-MS-Exchange-Organization-AuthSource: LO2GBR01FT003.eop-gbr01.prod.protection.outlook.com

X-MS-Exchange-Organization-AuthAs: Anonymous

X-MS-Exchange-Transport-EndToEndLatency: 00:00:02.2277080

X-MS-Exchange-Processed-By-BccFoldering: 15.01.1341.017

X-Microsoft-Antispam-Mailbox-Delivery:

 ex:0;auth:0;dest:I;ENG:(400001000128)(400125000095)(20160513016)(750103)(520011016)(400001001223)(400125100095)(61617095)(400001002128)(400125200095);

X-Microsoft-Exchange-Diagnostics:

 1;VI1PR0401MB1870;9:9kBdF64DJ7WbWDGBcs0YHIKbuYd9q3T3Of/tvCR37zJOcuf1fPFB+xXoCSHYbDG5I9HYwBhOy4Ulh72k5zPcVazssLvzJSUEROctK7/lmxkg8JPZ4YjLkAiWuyhu+4tovcx+jdeHyN5BgshhhMteXgECQdTATtmk1OyzJaQoWcHh+VXQDeQ3fsS8pEy38Nc+wX/Nx82eP2sZs1cuqlF/OLNZACnLS5TC6TNUe3uZ89zZ/aQCV3bsdhMTnNHDq4dQESrT8wDlm+hJvJcLwYFMoYcKosIrxXsDbbSAKWnkuCRczu4nDNxr1R10iBFaJ71R6LT3P7uqYs8AFzpeHjAN2CEBG7gyQ7HflJlS9Fo782aw0GmxUo7x2NwdqWrypkU/cGVlQCQu6rsKKtkaZuPEYmupfU3RkMlVrFk8AHCa0Lh7VPZm1b53boTQBfo3H6MpdMkOsM4DEewWO7+v0F0ONHakh4ck/cwqbIk7DDrBBKmYo0b7driscVLGpzfvZWGpIDFb77spNSvgHHr+jifF1fqz5BnqFxji/s4xmIbsml8=

X-Microsoft-Exchange-Diagnostics:

 1;VI1PR0401MB1870;27:rgVSD31DKuloM0RiR5RtnOIe8FR8pONSzXmgzuN86+/hrpgo2ASoixQp8GKWQzeqmbQKRPrDikfTttUrUtrlI8K+gWrdVziRnE02ucJfuDglCvD5UfM7kazX6blwfD1Z

Microsoft 365 and Office | Subscription, account, billing | For home | Windows

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

Answer accepted by question author

  1. Anonymous
    2017-08-19T12:59:50+00:00

    Hello Blue,

    Thanks for your suggestion.

    The server should generally accept any mail to the domain, and the question is then how to route it and check to see if its legitimate. Then, we might need to set more settings to prevent receiving spoof emails such as setting DKIM or setting SPF hard fail.

    Use DKIM to validate outbound email sent from your custom domain in Office 365

    https://technet.microsoft.com/en-us/library/mt695945(v=exchg.150).aspx

    How Office 365 uses Sender Policy Framework (SPF) to prevent spoofing

    https://technet.microsoft.com/en-us/library/mt712724(v=exchg.150).aspx

    I appreciate your suggestion and I think you can post this in our feedback website. Providing your feedback is the best way to perfect our products and services. Thanks for your understanding.

    Best Regards,

    Alison

    Was this answer helpful?

    1 person found this answer helpful.
    0 comments

5 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2017-08-17T08:26:38+00:00

    Hello Blue,

    Thanks for all the information you provided.

    SMTP relay doesn’t use a specific Office 365 mailbox to send email. So it need the static IP address or address range. If you send the emails from any domain name, the SPF check may be failed in the recipient side.

    I noticed that the third party tool have a place for authentication. That may be the reason why this email was not treated as spam. However, we suggest use the Official way to set up SMTP relay for your organization.

    https://support.office.com/en-us/article/How-to-set-up-a-multifunction-device-or-application-to-send-email-using-Office-365-69f58e99-c550-4274-ad18-c805d654b4c4

    I understand your concerns and you can submit feedback via this website:

    https://office365.uservoice.com/

    Best Regards,

    Alison

    Was this answer helpful?

    0 comments
  2. Anonymous
    2017-08-17T07:16:06+00:00

    Further update.

    You need to have the smtp server to be the "correct" one for the tenancy of the "from" email address (and connection) in order for the emails to be relayed externally (e.g. ******@gmail.com - and for it to appear in the message trace of the tenant)

    Using different smtp servers (for other tenants) will allow relay to "any" 365 user only.  And even with the connector in place, will not allow relay to external or appear in the tenant message trace.  But emails still get delivered to "any" 365 user

    Was this answer helpful?

    0 comments
  3. Anonymous
    2017-08-16T20:32:45+00:00

    Logs from the SMTP send tool showing it being accepted...

    Connecting to mail server.

    Connected.

    220 CWLGBR01FT018.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Wed, 16 Aug 2017 20:19:53 +0000

    EHLO servername

    250-CWLGBR01FT018.mail.protection.outlook.com Hello [xxx.xxx.xxx.xxx.xxx]

    250-SIZE 157286400

    250-PIPELINING

    250-DSN

    250-ENHANCEDSTATUSCODES

    250-STARTTLS

    250-8BITMIME

    250-BINARYMIME

    250 CHUNKING

    RSET

    250 2.0.0 Resetting

    MAIL FROM: <******@amazon.co.uk>

    250 2.1.0 Sender OK

    RCPT TO: <******@mydomain.com>

    250 2.1.5 Recipient OK

    DATA

    354 Start mail input; end with <CRLF>.<CRLF>

    .

    250 2.6.0 <******@amazon.co.uk> [InternalId=63380832388431, Hostname=VI1PR0401MB1872.eurprd04.prod.outlook.com] 7996 bytes in 0.298, 26.183 KB/sec Queued mail for delivery

    Forcing disconnection from SMTP server.

    QUIT

    221 2.0.0 Service closing transmission channel

    Disconnected.

    Message Sent Successfully

    Was this answer helpful?

    0 comments
  4. Anonymous
    2017-08-16T20:30:18+00:00

    See below

    eMail was sent from a non blacklisted IP with SMTP DiagTool, using SMTP as xxxxx-co-uk.mail.protection.outlook.com  (e.g. xxxxx is any valid for any 365 tenant)

    Set from email to ******@amazon.co.uk

    Set to email to my personal email (on 365)

    And as you can see, email arrived

    There is NO relationship from the IP I sent from, to Amazon, or my personal domain.  And there is no connector I am aware of on 365 for this IP.  The SMTP address used was one for a random customer of mine, not related to my address/tenancy.

    There is no way this email should've been relayed by 365....

    Was this answer helpful?

    0 comments