Re: [Asrg] whitelisting links (was Re: misconception in SPF)
Christian Grunfeld <christian.grunfeld@gmail.com> Tue, 11 December 2012 03:36 UTC
Return-Path: <christian.grunfeld@gmail.com>
X-Original-To: asrg@ietfa.amsl.com
Delivered-To: asrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9042A21F8746 for <asrg@ietfa.amsl.com>; Mon, 10 Dec 2012 19:36:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.105
X-Spam-Level:
X-Spam-Status: No, score=-3.105 tagged_above=-999 required=5 tests=[AWL=-0.106, BAYES_00=-2.599, J_CHICKENPOX_32=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yKrQ4EUhxu8y for <asrg@ietfa.amsl.com>; Mon, 10 Dec 2012 19:36:12 -0800 (PST)
Received: from mail-ia0-f182.google.com (mail-ia0-f182.google.com [209.85.210.182]) by ietfa.amsl.com (Postfix) with ESMTP id A834021F873F for <asrg@irtf.org>; Mon, 10 Dec 2012 19:36:12 -0800 (PST)
Received: by mail-ia0-f182.google.com with SMTP id x2so6868755iad.13 for <asrg@irtf.org>; Mon, 10 Dec 2012 19:36:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=5ws5yJIgHgieaL5TALDKTFTeqOWHCJiVgS4H17w8jaQ=; b=y/wkFY318gJuwT3gWUwWoQpf+Ap50XNgG+1oG35ZPZshf/Wj0N4czdRhd3jcDKPUfB +LbyLXuUC7mSfOjSchSxdi9m0OrxeZhj29wI4Cyj3NaVFFpkQW2QVfXrJVC4IA7LN+nu F+qbOLy0aRALs+/hIEg1zxTueLakWR1JnanaGNj3Nco3ZgLSB+13bSnLtDITxlR1zE6l N60yD5eKFPHbCDoxs+fDwdOfxHuyum+ZeZLKWOXoK+SybrCBTbCIf4QkJVXEnCU5XxJv Q3upJApmrMSj8JaNontv2abh2KmT7ctcA4vYhodWIIQaR/0+xfciQzhVSGbdgFeyE3pB tB1A==
MIME-Version: 1.0
Received: by 10.42.57.11 with SMTP id b11mr12917635ich.15.1355196972101; Mon, 10 Dec 2012 19:36:12 -0800 (PST)
Received: by 10.231.65.79 with HTTP; Mon, 10 Dec 2012 19:36:11 -0800 (PST)
In-Reply-To: <50C617A2.8090602@pscs.co.uk>
References: <20121206212116.10328.qmail@joyce.lan> <50C1A95A.5000001@pscs.co.uk> <50C4A7F8.3010201@dcrocker.net> <CAFdugamTbTirVV2zXKOmc9oTaCS+QiTemhT=jvYJnHYscHQK7g@mail.gmail.com> <0D79787962F6AE4B84B2CC41FC957D0B20ACE6D0@ABN-EXCH1A.green.sophos> <20121209213307.D90C12429B@panix5.panix.com> <CAFduganBR_E-ui-3Xbic6F7qSmg1-Q+ideXLvb+1isLz8OF0Nw@mail.gmail.com> <0D79787962F6AE4B84B2CC41FC957D0B20ACFFE1@ABN-EXCH1A.green.sophos> <50C5A9A0.105@pscs.co.uk> <0D79787962F6AE4B84B2CC41FC957D0B20AD01B2@ABN-EXCH1A.green.sophos> <20121210145627.GA21217@gsp.org> <50C6121D.9040607@dcrocker.net> <50C617A2.8090602@pscs.co.uk>
Date: Tue, 11 Dec 2012 00:36:11 -0300
Message-ID: <CAFdugam-N1o6JiD2T11CzoAt4a5onsKR3uCcx2SYsvwAT+332A@mail.gmail.com>
From: Christian Grunfeld <christian.grunfeld@gmail.com>
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Subject: Re: [Asrg] whitelisting links (was Re: misconception in SPF)
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Dec 2012 03:36:13 -0000
a few hours ago a dozen people kill me on the list because I told my users to check hostnames on email headers. You said that end users don't have the skill level or the time to do it. Now, a "great idea" of making a whitelist of what users click on their email and also asking them why they click what they click comes! How do you treat shortened/obfuscated/tracking urls? You are underestimating phishers as if they write links like http://www.google.com. A link to the same location can be http://bit.ly/someobfuscatedstring. And you are also overestimating the end users as if they were "matrix operators". The user can simply answer you: "I trust it because the link takes me to google" What domain/hostname do you use in reputation? bit.ly ? This "whitelist" can be poisoned by sending a first email pointing to the good location. Then you add bit.ly to your list ....then I send a second email pointing to an evil location ! C. P.S for those with linear reasoning, stop before writing "people should use www.google.com when they want to go to www.google.com". It was an example ! 2012/12/10 Paul Smith <paul@pscs.co.uk>: > On 10/12/2012 16:47, Dave Crocker wrote: >> >> >> On 12/10/2012 6:56 AM, Rich Kulawiec wrote: >>> >>> We see examples all day, every day, of sites >>> that have been hijacked by attackers and now host malicious content where >>> formerly there was something innocuous. >> >> ... >>> >>> To wit: users should never follow "important" links in email. They >>> should (for example) bookmark their bank's web site, and *always* >>> use the bookmark. >> >> >> >> There is the kernel of an implementable idea here: >> >> 1. Create a whitelist of links the user employes regularly through its >> browser. For an extra measure of safety, query the user about how much they >> 'trust' the site associated with each link. (The question needs to be put >> to them with better language than asking about trust.) >> >> 2. Have the email client distinguish between links that are >> whitelisted and those that aren't. >> >> I don't have any idea how much incremental safety this actually would >> provide, but I think it's worthy of testing. > > Surely this would be a browser feature (or 'Internet Security Software' > feature) rather than an email client feature. > > The email client will not necessarily have any access to web browser > history. > > The web browser should know that being called from an email client is > 'different' from the user clicking on a bookmark or typing in a URL in the > browser. Then, the browser could say to the user 'You've never accessed this > site before, are you sure you want to do it?', or whatever > > The problem is that to have any idea of reputation you'd have to go on the > hostname, not the full URL, as many email URLs will be 'unique' to have some > tracking information in them (yes, I know it's bad, but you won't get banks > to get rid of that, unfortunately), so each email will have different URLs > in, even if the final destination is the same. > > So, the question is, is having a hostname reputation for the user better > than having no reputation, or not? I'd say yes because it would probably > catch 99% of the bad links that I see in phishing/spam, others would say no > because it won't catch 100%. > > > > - > > Paul Smith Computer Services > Tel: 01484 855800 > Vat No: GB 685 6987 53 > > _______________________________________________ > Asrg mailing list > Asrg@irtf.org > http://www.irtf.org/mailman/listinfo/asrg
- Re: [Asrg] misconception in SPF John Levine
- [Asrg] misconception in SPF Christian Grunfeld
- Re: [Asrg] misconception in SPF Christian Grunfeld
- Re: [Asrg] misconception in SPF Derek Diget
- Re: [Asrg] misconception in SPF Martijn Grooten
- Re: [Asrg] misconception in SPF John Levine
- Re: [Asrg] misconception in SPF Christian Grunfeld
- Re: [Asrg] misconception in SPF Paul Smith
- Re: [Asrg] misconception in SPF Christian Grunfeld
- Re: [Asrg] misconception in SPF Andrew Sullivan
- Re: [Asrg] misconception in SPF Paul Smith
- Re: [Asrg] misconception in SPF darxus
- Re: [Asrg] misconception in SPF SM
- Re: [Asrg] misconception in SPF darxus
- Re: [Asrg] misconception in SPF Daniel Feenberg
- Re: [Asrg] misconception in SPF Paul Smith
- Re: [Asrg] misconception in SPF John Levine
- Re: [Asrg] various anti-spam techniques, was misc… John Levine
- Re: [Asrg] various anti-spam techniques, was misc… Rich Kulawiec
- Re: [Asrg] misconception in SPF SM
- Re: [Asrg] misconception in SPF Bill Cole
- Re: [Asrg] various anti-spam techniques, was misc… Christian Grunfeld
- Re: [Asrg] various anti-spam techniques, was misc… John Levine
- Re: [Asrg] misconception in SPF John Levine
- Re: [Asrg] misconception in SPF Alessandro Vesely
- Re: [Asrg] misconception in SPF Bill Cole
- Re: [Asrg] misconception in SPF Paul Smith
- Re: [Asrg] misconception in SPF Andrew Sullivan
- Re: [Asrg] misconception in SPF SM
- Re: [Asrg] misconception in SPF Dave Crocker
- Re: [Asrg] misconception in SPF Christian Grunfeld
- Re: [Asrg] misconception in SPF Dave Crocker
- Re: [Asrg] misconception in SPF Martijn Grooten
- Re: [Asrg] misconception in SPF John Levine
- Re: [Asrg] misconception in SPF Seth
- Re: [Asrg] misconception in SPF Christian Grunfeld
- Re: [Asrg] misconception in SPF John Levine
- Re: [Asrg] misconception in SPF John Levine
- Re: [Asrg] misconception in SPF Franck Martin
- Re: [Asrg] misconception in SPF Martijn Grooten
- Re: [Asrg] misconception in SPF Paul Smith
- Re: [Asrg] misconception in SPF Alessandro Vesely
- Re: [Asrg] misconception in SPF Martijn Grooten
- Re: [Asrg] misconception in SPF Dotzero
- Re: [Asrg] misconception in SPF Rich Kulawiec
- Re: [Asrg] misconception in SPF Christian Grunfeld
- Re: [Asrg] misconception in SPF Dave Crocker
- Re: [Asrg] misconception in SPF Chris Lewis
- [Asrg] whitelisting links (was Re: misconception … Dave Crocker
- Re: [Asrg] misconception in SPF Martijn Grooten
- Re: [Asrg] misconception in SPF Dave Crocker
- Re: [Asrg] misconception in SPF Christian Grunfeld
- Re: [Asrg] whitelisting links (was Re: misconcept… Paul Smith
- Re: [Asrg] misconception in SPF Martijn Grooten
- Re: [Asrg] whitelisting links (was Re: misconcept… Martijn Grooten
- Re: [Asrg] whitelisting links (was Re: misconcept… darxus
- Re: [Asrg] misconception in SPF Eggert, Lars
- Re: [Asrg] misconception in SPF Christian Grunfeld
- Re: [Asrg] whitelisting links (was Re: misconcept… Dave Crocker
- Re: [Asrg] whitelisting links (was Re: misconcept… Martijn Grooten
- Re: [Asrg] whitelisting links (was Re: misconcept… Michael Thomas
- Re: [Asrg] misconception in SPF John Levine
- Re: [Asrg] misconception in SPF Chris Lewis
- Re: [Asrg] whitelisting links (was Re: misconcept… Paul Smith
- Re: [Asrg] whitelisting links (was Re: misconcept… Steve Atkins
- Re: [Asrg] whitelisting links (was Re: misconcept… Martijn Grooten
- Re: [Asrg] whitelisting links (was Re: misconcept… Dave Crocker
- Re: [Asrg] whitelisting links (was Re: misconcept… Martijn Grooten
- Re: [Asrg] whitelisting links (was Re: misconcept… Christian Grunfeld
- Re: [Asrg] whitelisting links (was Re: misconcept… Dave Crocker
- Re: [Asrg] whitelisting links (was Re: misconcept… Chris Lewis
- Re: [Asrg] misconception in SPF Alessandro Vesely
- Re: [Asrg] whitelisting links (was Re: misconcept… Paul Smith
- Re: [Asrg] whitelisting links (was Re: misconcept… Martijn Grooten
- Re: [Asrg] misconception in SPF Martijn Grooten
- Re: [Asrg] whitelisting links (was Re: misconcept… Rich Kulawiec
- Re: [Asrg] whitelisting links (was Re: misconcept… Michael Thomas
- Re: [Asrg] misconception in SPF John Levine
- Re: [Asrg] whitelisting links (was Re: misconcept… John Johnson
- Re: [Asrg] misconception in SPF John Johnson
- Re: [Asrg] whitelisting links (was Re: misconcept… Michael Thomas
- Re: [Asrg] whitelisting links (was Re: misconcept… John Levine
- Re: [Asrg] misconception in SPF Dotzero
- Re: [Asrg] misconception in SPF John Levine
- Re: [Asrg] misconception in SPF Laura Atkins
- Re: [Asrg] DMARC, was misconception in SPF John Levine