为什么这封带有 DKIM 的邮件会通过 Office 365 垃圾邮件过滤器?我需要“调整”什么策略?

为什么这封带有 DKIM 的邮件会通过 Office 365 垃圾邮件过滤器?我需要“调整”什么策略?

我们使用 Office 365 邮件,今天早上我收到了这封垃圾邮件,所以我检查了邮件头,看看是否可以做些什么。以下是删除了收据域的邮件头

Received: from DB6PR01MB3829.eurprd01.prod.exchangelabs.com
 (2603:10a6:6:52::25) by PAXPR01MB9291.eurprd01.prod.exchangelabs.com with
 HTTPS; Tue, 10 May 2022 02:17:42 +0000
ARC-Seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
 b=EeGi0lrMprVF98QNcErMivV15SlCGfKOkWEjmPF6RvL4rtMscNmuzA0Do6xVi7W2VL14YtJE0cS2MQzJgsNnh2x2b3fkVMGb+L3mqCyhYvfpphI21XkeOLzjiuJaLexSA1TK6bChcboiF1sP+KI+G/gfGbzfWdzt3mhABec4s/98qZTQGjCe50IuXc0F46ILAEbIXjl1S1pmKLQnKi5j9BFhdwtITVWlIzY7ZiCFng+1mHKigKFDPTyeEiw7ttsm3oviZe1VLP+yy0lvUMPilZ6q7myeBYm9hAb53MWIrYNmX9aevyxV0TpC39uTOK3u9pYH2MZ7fZlm4xX5Ppo/8A==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=YadlNX9F1tdHPU6GBSCru6/kZ/UxDewIfN1iyiWDfYU=;
 b=MfogbEoTECE7pnnCdWfNTaPrbyhjph3ZMKGUlMoJEC9pu//dHDOMF07eiTsT3t5tba1ghfgbe2xZEZqg7azDGULAznA9eTzsjSnhnveCVt1thqLWnQLXh/T3/BOgpwQb8nCjVoq6p3KuBUXrObEWxqu07csivgli0UAiOS4UUVInWOX93PlMWL9APXrNRuOQzRBPrr84cg/XQhKWhxjMjtyoHH/VIvykTkEk/3mtuAdDjWseunvhqbD8K1b4pjrE4zycJNvTuo/+ZuV3YuFAfnEXcnQu/fmshdFMvWaEGAAK4Lex8O1P564OeW2XibLPAzqzy4aREtMWmAz2iKdmGQ==
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is
 52.100.172.225) smtp.rcpttodomain=************************
 smtp.mailfrom=columbiacentral.edu; dmarc=none action=none
 header.from=biglifejournal.com; dkim=pass (signature was verified)
 header.d=columbiacoedu.onmicrosoft.com; dkim=fail (signature did not verify)
 header.d=ksd1.klaviyomail.com; arc=pass (0 oda=0 ltdi=1)
Received: from AS9PR06CA0338.eurprd06.prod.outlook.com (2603:10a6:20b:466::32)
 by DB6PR01MB3829.eurprd01.prod.exchangelabs.com (2603:10a6:6:52::25) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5206.24; Tue, 10 May
 2022 02:17:40 +0000
Received: from VE1EUR01FT092.eop-EUR01.prod.protection.outlook.com
 (2603:10a6:20b:466:cafe::a6) by AS9PR06CA0338.outlook.office365.com
 (2603:10a6:20b:466::32) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5227.20 via Frontend
 Transport; Tue, 10 May 2022 02:17:39 +0000
Authentication-Results: spf=pass (sender IP is 52.100.172.225)
 smtp.mailfrom=columbiacentral.edu; dkim=pass (signature was verified)
 header.d=columbiacoedu.onmicrosoft.com;dmarc=none action=none
 header.from=biglifejournal.com;compauth=softpass reason=202
Received-SPF: Pass (protection.outlook.com: domain of columbiacentral.edu
 designates 52.100.172.225 as permitted sender)
 receiver=protection.outlook.com; client-ip=52.100.172.225;
 helo=NAM11-DM6-obe.outbound.protection.outlook.com;
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (52.100.172.225)
 by VE1EUR01FT092.mail.protection.outlook.com (10.152.3.140) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.5227.15 via Frontend Transport; Tue, 10 May 2022 02:17:39 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=Q5rpXKAdNS+0d9NAcPdgg6yieRqMW+KRK56NvHARZ4dvDoZFK3ySOALeF/i9hUzI42iCy0O8N39lvyCdQqVsh1ZRKOfp/yVtfpa+crSVPK2TK/DezxAE0TxWMewLdzGDhWUXugtGjgvNArKyHBS84F2rsOpDZRMfs1Yo8BJXZw3qT5bLFu1TkCU1sZvnzO7fNomw6exzWksgwRLCiQyigO26zDT99562VKyMLxSo0jW24mxN948jAg9vtGu5M95gunA+fRSJUu26E6pjhpS3ESkrcETmi074jwsIHPRts8NV9zZTNlnkigxKxqCGnbYgNiDqNRNK8eicLHn3nZht9w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=YadlNX9F1tdHPU6GBSCru6/kZ/UxDewIfN1iyiWDfYU=;
 b=j+q7sHypXOlRowsbB0TbvBhGeqo6NZcgUYskR6DrTJPVsaNOdxldABCpIYBtnRZpytb8NaleVgX84hn+wqy5as3e1845BoDH2jANfo5D6geIh3Vofc8VE7GykIOjyq93qgxLkfsdd20iU9gsgwMln8yZ0OUvSFR4tBeDXTcSOB0JT0pMq/iF+qiyva6TgwUA5XhHCwnpu0w1IkdHGlAAZpLkRAyiaqgf6dduuwqmz9Blu/wsgeAUSEE+djSXNoiFnWTaF03/lC7iANlqlQLELSw6d/lfNtozYKaZ9l4uHiYe+aoVk9LaowjlQkEWLw/ZAQ7XL6fUizHvmUpLcZYhog==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=temperror (sender ip
 is 2603:10c6:1:12::22) smtp.rcpttodomain=************************
 smtp.mailfrom=columbiacentral.edu; dmarc=none action=none
 header.from=biglifejournal.com; dkim=fail (signature did not verify)
 header.d=ksd1.klaviyomail.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=columbiacoedu.onmicrosoft.com; s=selector2-columbiacoedu-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=YadlNX9F1tdHPU6GBSCru6/kZ/UxDewIfN1iyiWDfYU=;
 b=bT0lBDUtXDKcbaYKPzBcpv5vTzkI2emJ1pBGfaTd3x6neulCygKlzvKyHKYGlQlefNOrPONvGwR4V1yGol3jN/x2z6VwPq5+eHxvM9Apc/7zrdfEfOlCnaiM2mYScqeP/1qcKlgPUjJZQ+vpA/Djhp3XL+zdzWCJNfbjMC46VMs=
Received: from MW2PR16CA0035.namprd16.prod.outlook.com (2603:10b6:907::48) by
 BY5PR02MB7044.namprd02.prod.outlook.com (2603:10b6:a03:232::18) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5227.20; Tue, 10 May
 2022 02:17:37 +0000
Received: from MW2NAM12FT006.eop-nam12.prod.protection.outlook.com
 (2603:10b6:907:0:cafe::9c) by MW2PR16CA0035.outlook.office365.com
 (2603:10b6:907::48) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5227.23 via Frontend
 Transport; Tue, 10 May 2022 02:17:36 +0000
X-MS-Exchange-Authentication-Results: spf=temperror (sender IP is
 2603:10c6:1:12::22) smtp.mailfrom=columbiacentral.edu; dkim=fail (signature
 did not verify) header.d=ksd1.klaviyomail.com;dmarc=none action=none
 header.from=biglifejournal.com;
Received-SPF: TempError (protection.outlook.com: error in processing during
 lookup of columbiacentral.edu: DNS Timeout)
Received: from bouttecontour.cloud (195.58.39.136) by
 MW2NAM12FT006.mail.protection.outlook.com (10.13.180.73) with Microsoft SMTP
 Server id 15.20.5250.8 via Frontend Transport; Tue, 10 May 2022 02:17:36
 +0000
Received: from SYAPR01MB2960.ausprd01.prod.outlook.com (2603:10c6:1:12::22) by
 ME1PR01MB1235.ausprd01.prod.outlook.com with HTTPS; Sun, 8 May 2022 04:00:40
 +0000
Received: from SYXPR01CA0100.ausprd01.prod.outlook.com (2603:10c6:0:2e::33) by
 SYAPR01MB2960.ausprd01.prod.outlook.com (2603:10c6:1:12::22) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.5227.18; Sun, 8 May 2022 04:00:37 +0000
Received: from SY4AUS01FT005.eop-AUS01.prod.protection.outlook.com
 (2603:10c6:0:2e:cafe::e6) by SYXPR01CA0100.outlook.office365.com
 (2603:10c6:0:2e::33) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5227.18 via Frontend
 Transport; Sun, 8 May 2022 04:00:37 +0000
Authentication-Results-Original: spf=pass (sender IP is 168.245.125.63)
 smtp.mailfrom=send.ksd1.klaviyomail.com; dkim=pass (signature was verified)
 header.d=ksd1.klaviyomail.com;dmarc=none action=none
 header.from=biglifejournal.com;compauth=pass reason=102
Received-SPF: Pass (protection.outlook.com: domain of
 send.ksd1.klaviyomail.com designates 168.245.125.63 as permitted sender)
 receiver=protection.outlook.com; client-ip=168.245.125.63;
 helo=o1401.shared.klaviyomail.com;
Received: from o1401.shared.klaviyomail.com (168.245.125.63) by
 SY4AUS01FT005.mail.protection.outlook.com (10.114.156.159) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.5227.15 via Frontend Transport; Sun, 8 May 2022 04:00:36 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ksd1.klaviyomail.com;
    h=content-type:from:mime-version:subject:reply-to:list-unsubscribe:to;
    s=m1; bh=ignkFy+p5H/cOKl305fEybl8jB7GJjbHDFUzuCHPfgY=;
    b=Sje97uAIGDZXT68b/atMmmyhc+HymmKzq6VYL9DqX8vLCaPc2D+5ZQ5oNx03m+QsjMqk
    ZgR+dA3mpPMpCDZKEA8KnkBqLfjcEy/yVW5UNh6QgUWDBl+Rw8Hf+zLSBWtAbJj+l4FaXL
    FsqsMZ45T6+SyssDqFLGm2aFlK7TFXoSY=
Received: by filterdrecv-587b769b88-2bpk5 with SMTP id filterdrecv-587b769b88-2bpk5-1-62774062-56
        2022-05-08 04:00:34.371597831 +0000 UTC m=+2700818.931010760
Received: from MTk3MDQ3Mzc (unknown)
    by geopod-ismtpd-1-5 (SG) with HTTP
    id Rs3WzlZyRbmab0T598cUNQ
    Sun, 08 May 2022 04:00:34.261 +0000 (UTC)

对我来说最突出的是 DKIM 失败:

 52.100.172.225) smtp.rcpttodomain=************************
 smtp.mailfrom=columbiacentral.edu; dmarc=none action=none
 header.from=biglifejournal.com; dkim=pass (signature was verified)
 header.d=columbiacoedu.onmicrosoft.com; dkim=fail (signature did not verify)
 header.d=ksd1.klaviyomail.com; arc=pass (0 oda=0 ltdi=1)

我应该调整哪项 365 策略来严格识别这些 DKIM 故障?

编辑:我将其通过标头分析器进行测试,发现其中有两个 DKIM 故障:

dkim:ksd1.klaviyomail.com:m1  

Dkim Public Record:
k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6L9gyFVAyoilbWhRbDZp+S8sFyNK4ACBgovgHxfbrutEet95U/CaL0mUnhv4VmkbIK7vUM2lsZl5rqLMQf5FGapvT3lWYQOgWBtl2USeDDr5Y+LzaHA1XZ+5NVf+l6sAFRaKeabsIKidXfxkdDALgIOIdmF3WV+VI4TvMRo90hQIDAQAB

Dkim Signature (this is a failure):
v=1; a=rsa-sha256; c=relaxed/relaxed; d=ksd1.klaviyomail.com;
 h=content-type:from:mime-version:subject:reply-to:list-unsubscribe:to;
 s=m1; bh=ignkFy+p5H/cOKl305fEybl8jB7GJjbHDFUzuCHPfgY=;
 b=Sje97uAIGDZXT68b/atMmmyhc+HymmKzq6VYL9DqX8vLCaPc2D+5ZQ5oNx03m+QsjMqk
 ZgR+dA3mpPMpCDZKEA8KnkBqLfjcEy/yVW5UNh6QgUWDBl+Rw8Hf+zLSBWtAbJj+l4FaXL
 FsqsMZ45T6+SyssDqFLGm2aFlK7TFXoSY=

dkim:columbiacoedu.onmicrosoft.com:selector2-columbiacoedu-onmicrosoft-com  

Dkim Public Record:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOvOdOm9Ug9778qHNSHRfls8jR3NWGijSKHOo/T2z4WdACJHA3IDPMVB2q4cWnHt+KwAnWiRYWeSeBWkzqWBIiWgdn8kMh08+iMy86hfqKb7mzbWgXigdEdtzzD9RGy09FRKsy5sIPJMMavbPhzvJaS/KNmWEMEb09JXkMyNCnRQIDAQAB;

Dkim Signature (This too is a failure):
v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=columbiacoedu.onmicrosoft.com; s=selector2-columbiacoedu-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=YadlNX9F1tdHPU6GBSCru6/kZ/UxDewIfN1iyiWDfYU=;
 b=bT0lBDUtXDKcbaYKPzBcpv5vTzkI2emJ1pBGfaTd3x6neulCygKlzvKyHKYGlQlefNOrPONvGwR4V1yGol3jN/x2z6VwPq5+eHxvM9Apc/7zrdfEfOlCnaiM2mYScqeP/1qcKlgPUjJZQ+vpA/Djhp3XL+zdzWCJNfbjMC46VMs=

答案1

看起来你可能有一些欺骗性的接收标头:

收到:来自 bouttecontour.cloud (195.58.39.136)看起来像是 2022 年 5 月 10 日星期二 02:17:36 +0000 向 O365 进行的真正注入

但下面的“已接收”标头有时间断开,并且似乎显示注入之前的内部 O365 处理。

收到:来自 SYAPR01MB2960.ausprd​​01.prod.outlook.com (2603:10c6:1:12::22),由 ME1PR01MB1235.ausprd​​01.prod.outlook.com 使用 HTTPS;2022 年 5 月 8 日星期日 04:00:40 +0000

已收到:来自 SYXPR01CA0100.ausprd​​01.prod.outlook.com (2603:10c6:0:2e::33),由 SYAPR01MB2960.ausprd​​01.prod.outlook.com (2603:10c6:1:12::22) 使用 Microsoft SMTP 服务器 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5227.18 发送;2022 年 5 月 8 日星期日 04:00:37 +0000

收到:来自 SY4AUS01FT005.eop-AUS01.prod.protection.outlook.com (2603:10c6:0:2e:cafe::e6),由 SYXPR01CA0100.outlook.office365.com (2603:10c6:0:2e::33) 使用 Microsoft SMTP 服务器 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5227.18 通过前端传输发送;2022 年 5 月 8 日星期日 04:00:37 +0000

将它们与我们正在调查的示例的标题进行比较:

已收到:来自 breckcraigint.pro (195.58.39.137),由 DM6NAM12FT048.mail.protection.outlook.com (10.13.178.173) 使用 Microsoft SMTP 服务器 ID 15.20.5250.8 通过前端传输发送;2022 年 5 月 9 日星期一 02:00:01 +0000

再次,下面的标题行似乎显示了 O365 处理 - 这与您的示例完全匹配。

收到:来自 SYAPR01MB2960.ausprd​​01.prod.outlook.com (2603:10c6:1:12::22),由 ME1PR01MB1235.ausprd​​01.prod.outlook.com 使用 HTTPS;2022 年 5 月 8 日星期日 04:00:40 +0000

已收到:来自 SYXPR01CA0100.ausprd​​01.prod.outlook.com (2603:10c6:0:2e::33),由 SYAPR01MB2960.ausprd​​01.prod.outlook.com (2603:10c6:1:12::22) 使用 Microsoft SMTP 服务器 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5227.18 发送;2022 年 5 月 8 日星期日 04:00:37 +0000

收到:来自 SY4AUS01FT005.eop-AUS01.prod.protection.outlook.com (2603:10c6:0:2e:cafe::e6),由 SYXPR01CA0100.outlook.office365.com (2603:10c6:0:2e::33) 使用 Microsoft SMTP 服务器 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5227.18 通过前端传输发送;2022 年 5 月 8 日星期日 04:00:37 +0000

答案2

好的,经过进一步挖掘,我 - 编辑:在评论之后,可能 - 有了自己的答案。我没有针对身份验证结果设置 SCL 的 Exchange Online 规则,用于 dkim=fail

对于其他寻找的人:

  • 转到 Exchange Online 管理员
  • 邮件流 -> 规则
  • 添加新规则并选择更多选项(否则您将看不到标题选项)
  • 添加包含“dkim=fail”的标头“Authentication-Results”测试
  • 将 SCL 设置为 6

我添加了第二条规则,其功能与上述相同,但标头为“X-MS-Exchange-Authentication-Results”

参考https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/support-for-validation-of-dkim-signed-messages?view=o365-worldwide

管理员可以根据 DKIM 验证结果创建 Exchange 邮件流规则(也称为传输规则)。这些邮件流规则将允许管理员根据需要过滤或路由邮件。

相关内容