Security Basics mailing list archives
RE: Spam prevention vs mitigation
From: "Joseph Laico" <LAICO () 0IS US>
Date: Thu, 12 Apr 2012 17:56:57 -0400
Sadly, you must be employed by a jackass company. Curtailing spam is addressable, but eliminating it for good is analogous to telling the computer it can never be compromosed in the course of its shelf life. As with all things in life common sense does not always prevail and perception is why some Bosses should be jelly donut stuffers rather than Supervisors. Having dealt with so many who lack the skill set and the common sense in business you learn to accept the dumb more frequently then the smart. SPAM is an integral part of technology as are Infomercials, and Junk Mail from the USPS. Whether you categorize it as a nusance, malicious, solicitation, or just a plain waste of time and productivity it all amounts to acknowledging its part of the technology equation. Seldom does anything change when it comes to the human psyche therefore its impossible to eliminate it and if you try to hard you may why up creating more of a issue. The unethical hacker is smart, very smart, do not underestimate his or hers ability to compromise your platform, painting the target will challenge someone a lot more savy to breach your platform. Dealing with the infinitesimal amount of spam you receive daily is acceptable, Postini should have only 3 to 6 a day let alone hundreds daily. You also run the risk of the many listings from Grey to Black should you become a target for someones desire to prove you otherwise, anything I repeat anything given enough time, resources and passion are thrown at it can be compromised, for every move there will always be a counter move, tell your Boss you truly don't want to motivate a hacker to use your platform as the proving grounds. In summation, tell your Boss he or she is truly a pathetic individual if that's all they can focus on, surely there are more important issues at hand. Good Luck, Joe -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Todd Haverkos Sent: Thursday, April 12, 2012 1:37 PM To: Steve Sirag Cc: security-basics () securityfocus com Subject: Re: Spam prevention vs mitigation Steve Sirag <stevesirag () gmail com> writes:
Hi, My bosses are demanding 100% spam prevention,
Tell them some guy on the Internet said that the only way to do that is shut down the email server. I'll be your fall guy.
and I'd like to find some industry papers, articles, etc that explains why that's not advisable (if even possible). My understanding is that spam mitigation is the goal, keeping spam down to where it's not a distraction from business. Our current spam level is roughly 3-6 spams received per user per day. That seems manageable to me, but I'd like the extra ammunition going into the meeting. Can anyone help?
If you were to try to make that argument, the counterpoint would be "Okay, what if the 6 that get through are phishes that have malicious links to recently registered domains or have malicious attachments that invariably people will click on, that leverage exploits for things the machine isn't patched against, and they lead to compromises of the local machine because no one has done the hard work and planning it takes to strip users of local admin rights?" And then parlay this discussion into perhaps getting some funding to do user education about security threats and how to respond, do some shootouts of new gateway mail solutions (that may have AV and threat protection that looks at more than just signatures of attachments), web gateway solutions that look at IP, URL reputation as well as scan for malware, privileged identity management solutions as well as political capital to wrestle admin privs away from users who don't need it, and for those who have it, make sure they can't be sufing the web while logged in as admin? Leave no crisis unexploited. :-) That said, what's acceptable risk to business will vary by business. You can make the case with simple logic that no signature based classifier will achieve 0 false negatives without also generating false positives--ask if they're willing for business critical email to get caught up in the spam filter, and if it does will your current solution give end users a way to retrieve it? The story is the same in AV land -- if AV heuristics trying to catch unknown and suspicious files are tuned too tight, legit files invariably end up getting blocked. The inconvenience of those 5 or 6 emails a day is the lesser concern to the likelihood of compromise an email received by a typical user that contains a malicious link or attachment. That said, I think it's safe to say that over the past weeks, the incoming volume of phishing like this has surely been on the uptick. Best Regards, -- Todd Haverkos, LPT MsCompE http://haverkos.com/ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727 d1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- RE: Spam prevention vs mitigation, (continued)
- RE: Spam prevention vs mitigation Ivan Carlos (Apr 12)
- Re: Spam prevention vs mitigation List Man (Apr 12)
- RE: Spam prevention vs mitigation Erik Soosalu (Apr 12)
- Re: Spam prevention vs mitigation Champ Clark III (Apr 12)
- RE: Spam prevention vs mitigation Steve Melcher (Apr 12)
- Re: Spam prevention vs mitigation Clint Davis (Apr 12)
- Re: Spam prevention vs mitigation Champ Clark III (Apr 12)
- RE: Spam prevention vs mitigation Gillmer, Renier, VF-NZ (Apr 15)
- Re: Spam prevention vs mitigation Champ Clark III (Apr 12)
- Re: Spam prevention vs mitigation Todd Haverkos (Apr 12)
- Re: Spam prevention vs mitigation Champ Clark III (Apr 12)
- RE: Spam prevention vs mitigation Joseph Laico (Apr 12)
- Re: Spam prevention vs mitigation Ansgar Wiechers (Apr 15)
- RE: Spam prevention vs mitigation Mike Saldivar (Apr 15)
- RE: Spam prevention vs mitigation Vincent Yeo (Apr 15)
- Re: Spam prevention vs mitigation kartik . netsec (Apr 15)
- Re: Spam prevention vs mitigation rmassanet (Apr 16)
- Re: Spam prevention vs mitigation David Gillett (Apr 18)
- Re: Spam prevention vs mitigation Michael Painter (Apr 19)