[Asrg] mail security

Ian Eiloart iane at sussex.ac.uk
Fri Jan 23 03:00:26 PST 2009 


--On 22 January 2009 11:07:20 -0500 Rich Kulawiec <rsk at gsp.org> wrote:

> On Wed, Jan 21, 2009 at 11:43:39AM +0000, Ian Eiloart wrote:
>> Agreed. That's why I'm discussing SPF or DKIM with a reputation service.
>> In the first instance, my reputation service is going to be a local
>> whitelisting mechanism. I'll probably have some domains whitelisted for
>> my entire site. Perhaps all .ac.uk domains, for example. Then I'll allow
>> users to whitelist domains and addresses that they trust. However, the
>> whitelisting mechanism will rely on an SPF or DKIM pass.
>
> Even if you go that route -- and I'll skip getting into its instrinsic
> merits and problems here -- I think you shouldn't allow users to whitelist
> *anything*, ever, without manual review by qualified personnel, for
> at least two reasons I can think of.

Well, I don't think we have the staff capacity to do that. I guess we might 
require review when entire domains are whitelisted, and I guess that if 
we're permitting one person to whitelist a domain, then we should permit 
anyone to whitelist that domain.

Of course, if a domain doesn't have an SPF or DKIM record, then we won't 
let anyone whitelist it or any address in that domain. And, if a message 
doesn't have a positive SPF or DKIM match, we'll ignore the whitelist entry 
- or perhaps warn the recipient if we don't accept the message.

I don't know how I could be a better judge than a user about whether they 
want to whitelist a specific email address. However, we could present them 
with a warning if the try to list an address (in a domain)? with a poor 
rating in our reputation service. The point here is that permitting address 
A to email address B only exposes one person to risk - the person doing the 
whitelisting.

Oh, and I'd never allow any email (other than to postmaster@ or abuse@) to 
bypass our malware filter. That would turn a spam threat to an individual 
into a threat to our network.

>
> First, users have very poor skills in this area.  (Not their fault,
> really, it's not their gig.)  We can tell how poor their skills by
> a number of methods, but I think the most obvious is: if they were
> any good at it, then phishing would be an inconsequential problem.
>
> Another way to tell is to monitor outbound SMTP and HTTP requests
> and note which ones have being directed to known-fraudulent domains.
> I see this constantly, even in environments where users have been
> told ad infinitum to never reply to a suspected spam/phish, never
> to follow any links in them, etc.  (In some environments, I block them.
> I'm beginning to think that's a best practice, even in cases where
> subsequently the real targets have acquired the phisher domains,
> as I think they know never to use them.)
>
> Second, how do you know that it's actually the users doing this?
>
> I'm not saying that you shouldn't maintain something along the lines
> of a whitelist, or an exempted-from-blacklist, or some other function.
> I'm saying that nothing should ever go into that list until somebody who
> knows about DNS and WHOIS and is appropriately paranoid has looked at it.
>
> ---Rsk
>
> _______________________________________________
> Asrg mailing list
> Asrg at irtf.org
> http://www.irtf.org/mailman/listinfo/asrg



-- 
Ian Eiloart
IT Services, University of Sussex
x3148

More information about the Asrg mailing list