01-06-2024 08:17 - edited 01-06-2024 08:19
Before I start I'm going to state that any and all opinions in here are my own and do not represent the opinions of either Virgin Media, OR any other company that I work for.
I have an office 365 subscription and Outlook on my MacBook is now the New Outlook.
I run my own email server and the New Outlook does not like setting up my account as an MS Exchange account so I reverted to the IMAP/SMTP combination to add my mail.
I noticed that my account was allowing the inbox set up to separate Focused and Other mail views - which I thought was Welcome - but strange, as this is a function on Microsoft Exchange accounts on the old Outlook but NOT IMAP accounts.
However the fun started when I wanted to look at the message source of a spam email. Whilst not intuitive, this turned out to be quite simple, right click on the message in the message list and select view source. This opened the message source in TextEdit. But something looked odd so I tried again with the message source from a big provider. Here are the main headers
Received: from mail.timothydutton.co.uk (mail.timothydutton.co.uk [127.0.0.1])
by mail.timothydutton.co.uk (Postfix) with ESMTP id 4Vr8Bd6HM7z4w1s
for <myaddress@timothydutton.co.uk>; Fri, 31 May 2024 03:44:41 +0000 (UTC)
Received: from mail.timothydutton.co.uk ([127.0.0.1])
by mail.timothydutton.co.uk (mail.timothydutton.co.uk [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 7dYu5B6xmDmJ for <myaddress@timothydutton.co.uk>;
Fri, 31 May 2024 03:44:40 +0000 (UTC)
Received: from mta11.e.ea.com (mta11.e.ea.com [136.147.183.216])
by mail.timothydutton.co.uk (Postfix) with ESMTPS id 4Vr8Bc2lRgz4vym
for <myaddress@timothydutton.co.uk>; Fri, 31 May 2024 03:44:40 +0000 (UTC)
Received: by mta11.e.ea.com id hb53qg2fmd44 for <myddress@timothydutton.co.uk>; Fri, 31 May 2024 03:44:31 +0000 (envelope-from <bounce-18_HTML-897634912-604457-7229410-3460103@bounce.e.ea.com>)
From: EA <EA@e.ea.com>
To: "myaddress@timothydutton.co.uk" <myaddress@timothydutton.co.uk>
Subject: Order Confirmation
The first thing I noticed was that there were no Authentication results. Now as this is my server I know what checks it does and how they show up in the headers. So I decided to look at the same source in the Mac Mail Client.
Return-Path: <bounce-18_HTML-897634912-604457-7229410-3460103@bounce.e.ea.com>
Delivered-To: myaddress@timothydutton.co.uk
Received: from mail.timothydutton.co.uk (mail.timothydutton.co.uk [127.0.0.1])
by mail.timothydutton.co.uk (Postfix) with ESMTP id 4Vr8Bd6HM7z4w1s
for <myaddress@timothydutton.co.uk>; Fri, 31 May 2024 03:44:41 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at mail.timothydutton.co.uk
Authentication-Results: mail.timothydutton.co.uk (amavisd-new);
dkim=pass (1024-bit key) header.d=e.ea.com
Received: from mail.timothydutton.co.uk ([127.0.0.1])
by mail.timothydutton.co.uk (mail.timothydutton.co.uk [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 7dYu5B6xmDmJ for <myaddress@timothydutton.co.uk>;
Fri, 31 May 2024 03:44:40 +0000 (UTC)
Received: from mta11.e.ea.com (mta11.e.ea.com [136.147.183.216])
by mail.timothydutton.co.uk (Postfix) with ESMTPS id 4Vr8Bc2lRgz4vym
for <myaddress@timothydutton.co.uk>; Fri, 31 May 2024 03:44:40 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=200608; d=e.ea.com;
h=From:To:Subject:Date:List-Help:MIME-Version:Reply-To:List-ID:Message-ID:
Content-Type; i=EA@e.ea.com;
bh=Bt4O8+rAcBCqhUuRfb6wIy85XnrcqrAkSNwQhDba61A=;
b=ktW2ZmorBa47DTVdiHaLxNuurEZEFrAYvdigN3/Pu3gcqQvOTZ//LxtEP3S1jYIzQt83wUUOlUST
urqn0eeItQOd5VNJzxBt+/vsqOuTDdkirvxKP0/Y3X7kKqXdSMf518xuL/6MlH1WfcO9Uku0SZXt
Nf2/lSHpA77mLgdum9k=
Received: by mta11.e.ea.com id hb53qg2fmd44 for <myaddress@timothydutton.co.uk>; Fri, 31 May 2024 03:44:31 +0000 (envelope-from <bounce-18_HTML-897634912-604457-7229410-3460103@bounce.e.ea.com>)
From: "EA" <EA@e.ea.com>
To: <myaddress@timothydutton.co.uk>
Subject: Order Confirmation
So straight away we see a discrepancy. The DKIM header is there as is the result of the Authentication checks
Lets have a look at the plain text header portion
New Outlook
--_000_e2b2c4a7815e4e64bfe49242eac919f2atl1s07mta2749xtlocal_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Apple Mail
--WZDBQC32T1nn=_?:
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: 8bit
There are more changes as well. So essentially I CANNOT trust the headers of the mail when viewed in the New Outlook client.
How does Microsoft Achieve this - well just as in the Outlook client on mobile devices, the client does not directly connect to your server. Instead it interacts with servers on Microsoft's network and they perform the IMAP and SMTP connections with the mail servers you set up in the settings. I've confirmed this by sending an email and checking the headers of the send to see the point where it hits my mail server.
Received: from CWXP265MB1542.GBRP265.PROD.OUTLOOK.COM (unknown [IPv6:2603:1026:401:4d::5])
by mail.timothydutton.co.uk (Postfix) with ESMTPSA id 4Vrqsd4Bqhz4vym
I could possibly live with this, but I am not a fan of Microsoft essentially re-writing my mail - whilst the mail itself looks identical to the end viewer on both clients - being unable to provide the ORIGINAL source from the New Outlook app means that security professionals are hampered from doing their jobs properly when investigating email scams.
Whoever thought this was a good idea needs their heads examining.
I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more
Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks
on 01-06-2024 14:19
I do not use Outlook but was curious enough to see what the issue could possibly be here. AFAICS it seems there is a “sanitised” view of headers that shows just the information Microsoft believe is of use. To access the “de-sanitised” view it seems you need to view the message's Properties > Internet headers field.
01-06-2024 15:27 - edited 01-06-2024 15:30
Nope it's not. The Properties->Internet Headers is in the Classic Version of Outlook. The New version aims to move the interface in a similar direction to that of Outlook on the Web.
I've just added the same account to New Outlook on Windows, and have had the same experience as on the MacBook Air.
In addition when the client is set up you get a notification that the account is being synced with the Microsoft Cloud - I don't recall the message being so Overt in the MacOS version.
However it doesn't just sync the message to the cloud, it converts it. Text in the email body that was encoded as 8 bit is instead encoded using Base64
This is with external accounts, but Microsoft has form for changing email bodies. If I send an email to an Exchange account and a Gmail account and then run DKimverify on the source, Microsoft fails DKIM but Gmail passes.
Remember DKIM not only signs the mail, but also provides a hash that is used to prove that specified parts of the mail have not been altered.
The thing is, if they can effectively amend the contents of the mail to change the encoding format, what's to stop them actually amending the actual viewable content of the message.
Tim
I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more
Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks
on 01-06-2024 16:47
I’ve so far managed not to use the “new” outlook with MS365. I’m just waiting for MS to force all users onto it.
I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more
Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks
on 01-06-2024 17:31
@ravenstar68 wrote:Nope it's not. The Properties->Internet Headers is in the Classic Version of Outlook. The New version aims to move the interface in a similar direction to that of Outlook on the Web.
⋮
Sorry to read that.
Seems the instructions here, View internet message headers in Outlook - Microsoft Support, are incorrect then:
on 01-06-2024 18:39
When I see MS doing things like this I’m very glad I gave up on MS a few years ago. I had even been a beta tester for early versions of Window and Windows Network Server!