[Asrg] mail security

[Rich Kulawiec]

On Wed, Jan 21, 2009 at 11:43:39AM +0000, Ian Eiloart wrote:
> Agreed. That's why I'm discussing SPF or DKIM with a reputation service. 
> In the first instance, my reputation service is going to be a local  
> whitelisting mechanism. I'll probably have some domains whitelisted for 
> my entire site. Perhaps all .ac.uk domains, for example. Then I'll allow 
> users to whitelist domains and addresses that they trust. However, the  
> whitelisting mechanism will rely on an SPF or DKIM pass.

Even if you go that route -- and I'll skip getting into its instrinsic
merits and problems here -- I think you shouldn't allow users to whitelist
*anything*, ever, without manual review by qualified personnel, for
at least two reasons I can think of.

First, users have very poor skills in this area.  (Not their fault,
really, it's not their gig.)  We can tell how poor their skills by
a number of methods, but I think the most obvious is: if they were
any good at it, then phishing would be an inconsequential problem.

Another way to tell is to monitor outbound SMTP and HTTP requests
and note which ones have being directed to known-fraudulent domains.
I see this constantly, even in environments where users have been
told ad infinitum to never reply to a suspected spam/phish, never
to follow any links in them, etc.  (In some environments, I block them.
I'm beginning to think that's a best practice, even in cases where
subsequently the real targets have acquired the phisher domains,
as I think they know never to use them.)

Second, how do you know that it's actually the users doing this?

I'm not saying that you shouldn't maintain something along the lines
of a whitelist, or an exempted-from-blacklist, or some other function.
I'm saying that nothing should ever go into that list until somebody who
knows about DNS and WHOIS and is appropriately paranoid has looked at it.

---Rsk