Re: [Asrg] whitelisting links (was Re: misconception in SPF)

Rich Kulawiec <> Tue, 11 December 2012 13:37 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 58FE621F84C4 for <>; Tue, 11 Dec 2012 05:37:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.413
X-Spam-Status: No, score=-6.413 tagged_above=-999 required=5 tests=[AWL=0.186, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id B69RxGCDEAFg for <>; Tue, 11 Dec 2012 05:37:34 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id BE45721F8456 for <>; Tue, 11 Dec 2012 05:37:34 -0800 (PST)
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id qBBDbWlo016433 for <>; Tue, 11 Dec 2012 08:37:33 -0500 (EST)
Date: Tue, 11 Dec 2012 08:37:27 -0500
From: Rich Kulawiec <>
To: Anti-Spam Research Group - IRTF <>
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.20 (2009-06-14)
Subject: Re: [Asrg] whitelisting links (was Re: misconception in SPF)
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <>
List-Id: Anti-Spam Research Group - IRTF <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 11 Dec 2012 13:37:35 -0000

I think we're getting into a number of overlapping problems here, most
of which are caused by the use of worst practices (e.g., HTML in email,
outsourced email, use of URL shorteners, web sites that load Javascript
from a dozen different sources[1], financial institutions that are
training their customers to be phish victims, etc.)

I don't think we can solve or even capably attack any of these issues
at the MTA or MUA, so I'll suggest they may be out-of-scope here.

My suggestion that users bookmark their most-used/most-critical web
sites (in their web browser) is actually unrelated to email: that is,
I don't think anyone should ever read their email with a web browser or
with a mail client that has web browser features.  I regard doing so as
a catastrophic security failure, one that can't be mitigated no matter
how many layers of code are placed around or on top of it.

So to clarify: this is an entirely manual process, but since it need
only be done once per site and since it need only be done for "important"
sites (in the view of the user) I regard the effort as minimal.
Unfortunately, few users have the self-discipline required to always
use those bookmarks, doubly so given that they're going to receive
email containing links from the very institutions that they would be
most likely to bookmark.  (See "training customers to be phish victims".)


[1] Using NoScript makes this problem highly visible.