Re: [Asrg] whitelisting links (was Re: misconception in SPF)

Paul Smith <paul@pscs.co.uk> Mon, 10 December 2012 17:20 UTC

Return-Path: <prvs=0691FCDE2A=paul@pscs.co.uk>
X-Original-To: asrg@ietfa.amsl.com
Delivered-To: asrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BEF521F8557 for <asrg@ietfa.amsl.com>; Mon, 10 Dec 2012 09:20:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id raXOt303frfN for <asrg@ietfa.amsl.com>; Mon, 10 Dec 2012 09:20:29 -0800 (PST)
Received: from mail.pscs.co.uk (mail.pscs.co.uk [188.65.177.237]) by ietfa.amsl.com (Postfix) with ESMTP id BE6BC21F8552 for <asrg@irtf.org>; Mon, 10 Dec 2012 09:20:28 -0800 (PST)
Received: from lmail.pscs.co.uk ([82.68.5.206]) by mail.pscs.co.uk ([188.65.177.237] running VPOP3) with ESMTP; Mon, 10 Dec 2012 17:32:55 -0000
Received: from [192.168.66.100] ([192.168.66.100]) by lmail.pscs.co.uk ([192.168.66.70] running VPOP3) with ESMTP; Mon, 10 Dec 2012 17:10:58 -0000
Message-ID: <50C617A2.8090602@pscs.co.uk>
Date: Mon, 10 Dec 2012 17:10:58 +0000
From: Paul Smith <paul@pscs.co.uk>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: dcrocker@bbiw.net, Anti-Spam Research Group - IRTF <asrg@irtf.org>
References: <20121206212116.10328.qmail@joyce.lan> <50C1A95A.5000001@pscs.co.uk> <50C4A7F8.3010201@dcrocker.net> <CAFdugamTbTirVV2zXKOmc9oTaCS+QiTemhT=jvYJnHYscHQK7g@mail.gmail.com> <0D79787962F6AE4B84B2CC41FC957D0B20ACE6D0@ABN-EXCH1A.green.sophos> <20121209213307.D90C12429B@panix5.panix.com> <CAFduganBR_E-ui-3Xbic6F7qSmg1-Q+ideXLvb+1isLz8OF0Nw@mail.gmail.com> <0D79787962F6AE4B84B2CC41FC957D0B20ACFFE1@ABN-EXCH1A.green.sophos> <50C5A9A0.105@pscs.co.uk> <0D79787962F6AE4B84B2CC41FC957D0B20AD01B2@ABN-EXCH1A.green.sophos> <20121210145627.GA21217@gsp.org> <50C6121D.9040607@dcrocker.net>
In-Reply-To: <50C6121D.9040607@dcrocker.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Authenticated-Sender: paul
X-Server: VPOP3 Enterprise V6.0 - Registered
X-Organisation: Paul Smith Computer Services
Cc: Dave Crocker <dhc@dcrocker.net>
Subject: Re: [Asrg] whitelisting links (was Re: misconception in SPF)
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Dec 2012 17:20:30 -0000

On 10/12/2012 16:47, Dave Crocker wrote:
>
> On 12/10/2012 6:56 AM, Rich Kulawiec wrote:
>>  We see examples all day, every day, of sites
>> that have been hijacked by attackers and now host malicious content 
>> where
>> formerly there was something innocuous.
> ...
>> To wit: users should never follow "important" links in email.  They
>> should (for example) bookmark their bank's web site, and *always*
>> use the bookmark.
>
>
> There is the kernel of an implementable idea here:
>
>    1.  Create a whitelist of links the user employes regularly through 
> its browser.  For an extra measure of safety, query the user about how 
> much they 'trust' the site associated with each link.  (The question 
> needs to be put to them with better language than asking about trust.)
>
>    2.  Have the email client distinguish between links that are 
> whitelisted and those that aren't.
>
> I don't have any idea how much incremental safety this actually would 
> provide, but I think it's worthy of testing.
Surely this would be a browser feature (or 'Internet Security Software' 
feature) rather than an email client feature.

The email client will not necessarily have any access to web browser 
history.

The web browser should know that being called from an email client is 
'different' from the user clicking on a bookmark or typing in a URL in 
the browser. Then, the browser could say to the user 'You've never 
accessed this site before, are you sure you want to do it?', or whatever

The problem is that to have any idea of reputation you'd have to go on 
the hostname, not the full URL, as many email URLs will be 'unique' to 
have some tracking information in them (yes, I know it's bad, but you 
won't get banks to get rid of that, unfortunately), so each email will 
have different URLs in, even if the final destination is the same.

So, the question is, is having a hostname reputation for the user better 
than having no reputation, or not? I'd say yes because it would probably 
catch 99% of the bad links that I see in phishing/spam, others would say 
no because it won't catch 100%.



-

Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53