PaulDotCom mailing list archives
Re: [Security Weekly] [GPWN-list] Pen Testing and the Canadian anti-spam law
From: Jamil Ben Alluch <jamil () autronix com>
Date: Tue, 1 Jul 2014 12:52:53 -0400
That's what I am wondering. I've read the CASL in its entirety and it gives very little room to do anything without an opt-in. Then again fake opt-ins could be crafted, but since you are sending to individual employees user's addresses, I am not quite sure how it would fall into the legislation, because, from my understanding, it would still qualify as commercial communication. ᐧ *--* *Jamil Ben Alluch, ing. jr, GCIH* [image: Autronix] <http://www.autronix.com> *Information Technology & Security Consulting* jamil () autronix com +1-819-923-3012 +1-877-564-7656 e.123 On Tue, Jul 1, 2014 at 12:03 PM, Ty Purcell <TPurcell () ffin com> wrote:
Jamil, Is there the possibility of properly crafting the Statement of Work and Rules of Engagement to comply with the law while also meeting your pentest operational needs? Ty ------------------------------ *From:* gpwn-list on behalf of Jamil Ben Alluch *Sent:* Tuesday, July 01, 2014 10:36:16 AM *To:* advisory-board-open () lists sans org; gpwn-list () lists sans org; Security Weekly Mailing List *Subject:* [GPWN-list] Pen Testing and the Canadian anti-spam law Hello, I wanted to get some points of view in regards to the newly implemented anti-spam law that entered into effect today in Canada. There are cases where during pen-testing projects, we are in a way required to send emails in order to test out phishing attempts, malware downloads etc. These would have to be crafted in a way that is appealing to the targeted end-user and often will have some kind of appealing sales connotation or fake business application. Now according to the CASL <http://fightspam.gc.ca/>, this would entitle senders to up to CA$1,000,000 in fines, if you are an individual, and $10,000,000 in fines if you are a business. Obviously in our line of work, in order to perform our duties as pen-testers, this could turn out to be a problem and remove the possibility of trying out sets of attack vectors relying on emails. I'd like to get some opinions on this matter. Best Regards, *--* *Jamil Ben Alluch, ing. jr, GCIH* [image: Autronix] <http://www.autronix.com> *Information Technology & Security Consulting* jamil () autronix com +1-819-923-3012 +1-877-564-7656 e.123 ᐧ
_______________________________________________ securityweekly mailing list securityweekly () mail securityweekly com http://mail.securityweekly.com/cgi-bin/mailman/listinfo/securityweekly Main Web Site: http://pauldotcom.com
Current thread:
- [Security Weekly] Pen Testing and the Canadian anti-spam law Jamil Ben Alluch (Jul 02)
- Re: [Security Weekly] [GPWN-list] Pen Testing and the Canadian anti-spam law Ty Purcell (Jul 02)
- Re: [Security Weekly] [GPWN-list] Pen Testing and the Canadian anti-spam law Jamil Ben Alluch (Jul 02)
- Re: [Security Weekly] [advisory-board-open] Pen Testing and the Canadian anti-spam law Adrien de Beaupre (Jul 09)
- Re: [Security Weekly] [GPWN-list] Pen Testing and the Canadian anti-spam law Ty Purcell (Jul 02)