There is an issue where Office 365 does not journal message that contain bare line feeds, which means that there is a LF character not preceded by a CR character.
Computer systems use one or more invisible characters to control when a line breaks. The names of these characters are holdovers from the days of typewriters:
- Carriage return (CR), which moved either the carriage or the platen to the beginning of the current line
- Line feed (LF), which moved the platen to the next line at the same location on the line
For more details on how different computer systems, specifically *NIX vs. Windows, dealt with these characters, See The Great Newline Schism and Wikipedia.
The Agari Phishing Defense issue
When Office 365 attempts to journal a message that contains an LF not preceded by a CR it will only do so if BDAT (binary data) is supported by the receiving server. If CHUNKING is not presented as a supported ESMTP (enhanced SMTP) extension. then Office 365 will not attempt to issue the BDAT command.
- You will probably receive a non-delivery receipt message saying that a message was not able to be sent to the sensor because of an invalid character. This message should also identify that character as a "bare line feed."
- A message that you would expect APD to "see" because it was sent to and evaluated by the sensor is not viewable in APD.
- Viewing a message trace in the Office 365 admin console, the send action to the sensor address has a status of "failed."
The Postfix mail transfer agent (MTA) maintainer is working to add BDAT support. Once Postfix adds this feature Agari will need to verify the update and include it into the sensor.
Until the postfix includes BDAT support and that version is added to the APD sensor, a workaround exists that involves adding an additional rule to Office 365. This rule will add a disclaimer to messages sent to your domain.
At a high level you will be creating a rule for all inbound mail and then appending a character (such as a space) to each recipient address. This way no message has a recipient which ends in an invalid character, it will always end in a valid one.
- Go to the Office 365 Admin console.
- Go to Mail Flow.
- Click +, and then select Create a new rule.
- Enter a descriptive Name, such as "Bare Line Feed Disclaimer."
- In the Apply this rule if drop-down list, select The recipient address includes.
- Click Enter words and enter a word or phrase that matches your condition, such as your domain (without the TLD).
- In the Do the following drop-down list, select Append the disclaimer.
- Click Enter words and enter a disclaimer message, which could be as simple as a space character.
- Click Select one, and then select Wrap.
- In the Match sender address in message drop-down list, select Header or envelope.
- Click Save.
Once you have created this rule, you will need to toggle any enabled policies in APD.
- Go to Manage > Policies.
- For any policies you have enabled:
- Click the Policy Name.
- Click the Disable/Enable toggle to disable the policy.
- Click Save.
- Click the Disable/Enable toggle to enable the policy.
- Click Save.
Please sign in to leave a comment.