ietf-asrg
[Top] [All Lists]

Re: [Asrg] mail security

2009-01-23 06:00:38


--On 22 January 2009 11:07:20 -0500 Rich Kulawiec <rsk(_at_)gsp(_dot_)org> 
wrote:

On Wed, Jan 21, 2009 at 11:43:39AM +0000, Ian Eiloart wrote:
Agreed. That's why I'm discussing SPF or DKIM with a reputation service.
In the first instance, my reputation service is going to be a local
whitelisting mechanism. I'll probably have some domains whitelisted for
my entire site. Perhaps all .ac.uk domains, for example. Then I'll allow
users to whitelist domains and addresses that they trust. However, the
whitelisting mechanism will rely on an SPF or DKIM pass.

Even if you go that route -- and I'll skip getting into its instrinsic
merits and problems here -- I think you shouldn't allow users to whitelist
*anything*, ever, without manual review by qualified personnel, for
at least two reasons I can think of.

Well, I don't think we have the staff capacity to do that. I guess we might require review when entire domains are whitelisted, and I guess that if we're permitting one person to whitelist a domain, then we should permit anyone to whitelist that domain.

Of course, if a domain doesn't have an SPF or DKIM record, then we won't let anyone whitelist it or any address in that domain. And, if a message doesn't have a positive SPF or DKIM match, we'll ignore the whitelist entry - or perhaps warn the recipient if we don't accept the message.

I don't know how I could be a better judge than a user about whether they want to whitelist a specific email address. However, we could present them with a warning if the try to list an address (in a domain)? with a poor rating in our reputation service. The point here is that permitting address A to email address B only exposes one person to risk - the person doing the whitelisting.

Oh, and I'd never allow any email (other than to postmaster@ or abuse@) to bypass our malware filter. That would turn a spam threat to an individual into a threat to our network.


First, users have very poor skills in this area.  (Not their fault,
really, it's not their gig.)  We can tell how poor their skills by
a number of methods, but I think the most obvious is: if they were
any good at it, then phishing would be an inconsequential problem.

Another way to tell is to monitor outbound SMTP and HTTP requests
and note which ones have being directed to known-fraudulent domains.
I see this constantly, even in environments where users have been
told ad infinitum to never reply to a suspected spam/phish, never
to follow any links in them, etc.  (In some environments, I block them.
I'm beginning to think that's a best practice, even in cases where
subsequently the real targets have acquired the phisher domains,
as I think they know never to use them.)

Second, how do you know that it's actually the users doing this?

I'm not saying that you shouldn't maintain something along the lines
of a whitelist, or an exempted-from-blacklist, or some other function.
I'm saying that nothing should ever go into that list until somebody who
knows about DNS and WHOIS and is appropriately paranoid has looked at it.

---Rsk

_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg



--
Ian Eiloart
IT Services, University of Sussex
x3148
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg

<Prev in Thread] Current Thread [Next in Thread>