Re: [Asrg] whitelisting links (was Re: misconception in SPF)

Steve Atkins <steve@blighty.com> Mon, 10 December 2012 20:41 UTC

Return-Path: <steve@blighty.com>
X-Original-To: asrg@ietfa.amsl.com
Delivered-To: asrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44F1721F851E for <asrg@ietfa.amsl.com>; Mon, 10 Dec 2012 12:41:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RdSiqX-f2L+i for <asrg@ietfa.amsl.com>; Mon, 10 Dec 2012 12:41:49 -0800 (PST)
Received: from m.wordtothewise.com (misc.wordtothewise.com [184.105.179.154]) by ietfa.amsl.com (Postfix) with ESMTP id AD52621F8512 for <asrg@irtf.org>; Mon, 10 Dec 2012 12:41:49 -0800 (PST)
Received: from [192.168.80.21] (204.11.227.194.static.etheric.net [204.11.227.194]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: steve) by m.wordtothewise.com (Postfix) with ESMTPSA id B65E22E192 for <asrg@irtf.org>; Mon, 10 Dec 2012 12:41:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=wordtothewise.com; s=1.wttw; t=1355172107; bh=Dg2kQxtivaSZpF5JjUxaWP7Sg28SoYrVg2JokLOM7bw=; h=Content-Type:Mime-Version:Subject:From:In-Reply-To:Date: Content-Transfer-Encoding:Message-Id:References:To; b=nF0oDiDW/debrEzmqZQdc9BL+DfD2xCkaMjMtSTxdvKW3nLfQEV+IcfnER+7zyw9u Z66iaPy7ASCxF1ZHAlyJC8x685WRxz0/tLgDhini8vbBw+G7sre1BV50yG1bcB4EjV 2n/gYfppUQ6zwjys4zNXbOEqt/Ff9rf//PI7c/aw=
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Steve Atkins <steve@blighty.com>
In-Reply-To: <50C644F6.3090901@pscs.co.uk>
Date: Mon, 10 Dec 2012 12:41:44 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <69AD22AF-9494-44EB-AC86-75ED04E7AE3A@blighty.com>
References: <20121206212116.10328.qmail@joyce.lan> <50C1A95A.5000001@pscs.co.uk> <50C4A7F8.3010201@dcrocker.net> <CAFdugamTbTirVV2zXKOmc9oTaCS+QiTemhT=jvYJnHYscHQK7g@mail.gmail.com> <0D79787962F6AE4B84B2CC41FC957D0B20ACE6D0@ABN-EXCH1A.green.sophos> <20121209213307.D90C12429B@panix5.panix.com> <CAFduganBR_E-ui-3Xbic6F7qSmg1-Q+ideXLvb+1isLz8OF0Nw@mail.gmail.com> <0D79787962F6AE4B84B2CC41FC957D0B20ACFFE1@ABN-EXCH1A.green.sophos> <50C5A9A0.105@pscs.co.uk> <0D79787962F6AE4B84B2CC41FC957D0B20AD01B2@ABN-EXCH1A.green.sophos> <20121210145627.GA21217@gsp.org> <50C6121D.9040607@dcrocker.net>, <50C617A2.8090602@pscs.co.uk> <0D79787962F6AE4B84B2CC41FC957D0B20AD5E36@ABN-EXCH1A.green.sophos> <50C644F6.3090901@pscs.co.uk>
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
X-Mailer: Apple Mail (2.1499)
Subject: Re: [Asrg] whitelisting links (was Re: misconception in SPF)
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Dec 2012 20:41:50 -0000

On Dec 10, 2012, at 12:24 PM, Paul Smith <paul@pscs.co.uk> wrote:

> On 10/12/2012 18:23, Martijn Grooten wrote:
>>> I'd say yes because it would probably
>>> catch 99% of the bad links that I see in phishing/spam
>> No it would not, not even close to that. A lot of spam links to legitimate but compromised domains.
> Maybe - but most of those compromised domains are not domains which the user would normally go to.
> 
> So, even if the link is to a 'legitimate' domain, the vast majority would be to domains which the user does not recognise. So, it would catch those.
> 
> Remember, the idea wasn't to have a 'global' list of 'good domains', but ones which the *user* has whitelisted, so the user recognises them.

If it's user managed - rather than managed by a third party that actually keeps track of who is a bank and who isn't - I'd guess it'd just lead to meta-phishing, where the goal is to get the user to add a link to their whitelist, rather than having them click on a link.

Cheers,
  Steve