Re: Spam prevention vs mitigation

[Champ Clark III <cclark () quadrantsec com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On thing to keep in mind (from my own personal experience).

"You can please some of the people some of the time,  but you can't
please all the people all of the time".

That is;  If you make the filters to restrictive,  expect calls about
people "not getting mail".  If you don't make them restrictive enough,
 then expect calls that people are getting spam.

I've _literally_ within a few minute period gotten two calls.  One
person stating that, "You're spam filtering policy it to strict! We're
not getting some emails!".  Then 5 minutes later,  get a call from the
_same_ organization stating,  "I'm getting to much spam, can't you
make the filters _more strict_!".

Damned if you do,  damned if you don't.   You can only try to walk to
fine line as best you can.

Typically I even explain this to people who are complaining.  If
they're complaining about getting a handful of spams (or worst yet,
crap mailing list they signed up for unknowingly),  it makes me want
to scream.

Since they don't "see" the spam they're not getting (usually), you can
offer to "turn if off for a day" and see how they feel about it ! :)


On 4/12/12 1:37 PM, Todd Haverkos wrote:
> Steve Sirag <stevesirag () gmail com> writes:
>
> > Hi,
> >
> > My bosses are demanding 100% spam prevention,
>
> Tell them some guy on the Internet said that the only way to do
> that is shut down the email server.   I'll be your fall guy.
>
> > and I'd like to find some industry papers, articles, etc that 
> > explains why that's not advisable (if even possible).  My 
> > understanding is that spam mitigation is the goal, keeping spam
> > down to where it's not a distraction from business.  Our current
> > spam level is roughly 3-6 spams received per user per day.  That
> > seems manageable to me, but I'd like the extra ammunition going
> > into the meeting.
> >
> > Can anyone help?
>
> If you were to try to make that argument, the counterpoint would
> be "Okay, what if the 6 that get through are phishes that have
> malicious links to recently registered domains or have malicious
> attachments that invariably people will click on, that leverage
> exploits for things the machine isn't patched against, and they
> lead to compromises of the local machine because no one has done
> the hard work and planning it takes to strip users of local admin
> rights?"
>
> And then parlay this discussion into perhaps getting some funding
> to do user education about security threats and how to respond, do
> some shootouts of new gateway mail solutions (that may have AV and
> threat protection that looks at more than just signatures of
> attachments), web gateway solutions that look at IP, URL reputation
> as well as scan for malware, privileged identity management
> solutions as well as political capital to wrestle admin privs away
> from users who don't need it, and for those who have it, make sure
> they can't be sufing the web while logged in as admin?
>
> Leave no crisis unexploited.  :-)
>
> That said, what's acceptable risk to business will vary by
> business. You can make the case with simple logic that no signature
> based classifier will achieve 0 false negatives without also
> generating false positives--ask if they're willing for business
> critical email to get caught up in the spam filter, and if it does
> will your current solution give end users a way to retrieve it?
> The story is the same in AV land -- if AV heuristics trying to
> catch unknown and suspicious files are tuned too tight, legit files
> invariably end up getting blocked.
>
> The inconvenience of those 5 or 6 emails a day is the lesser
> concern to the likelihood of compromise an email received by a
> typical user that contains a malicious link or attachment.
>
> That said, I think it's safe to say that over the past weeks, the 
> incoming volume of phishing like this has surely been on the
> uptick.
>
> Best Regards, -- Todd Haverkos, LPT MsCompE http://haverkos.com/
>
> ------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs
> an SSL certificate.  We look at how SSL works, how it benefits your
> company and how your customers can tell if a site is secure. You
> will find out how to test, purchase, install and use a thawte
> Digital Certificate on your Apache web server. Throughout, best
> practices for set-up are highlighted to help you ensure efficient
> ongoing management of your encryption keys and digital
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
- ------------------------------------------------------------------------
>


- -- 
- - Champ Clark III (cclark () quadrantsec com)
  Quadrant Information Security (http://quadrantsec.com)
  Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A
  GPG Key ID: 0381878A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPh0+AAAoJENnmXt7Lmc3KXV8IAJIIwhbzK36aa4OV7poLBWyA
v1aYiGIOYd3CRX6jNS6y18JQSMW/ukqQNpAlYxhdfctrC6OeDoXWjeHDWMeSSZ45
E448V0zCVV7Oa9rUuUKLo07nOeh8FUfEn0Uhq6GlZ56QwFOIj0M4cp25rI7b9g4M
3FJATOt+H8YmV4GgNkL21xA6t1TIf5pHMc4EOtXB0JlCBrYkzNhEUgKfer3MobP5
jLfw6Oc7g0BVdHXlWt5Vwii2/6Aa+3v9fLrwtiUPLLQongeQfdZS36GzwIEeQjJD
VxMKu5Da7zXeNmiY7si4JYFwWT0bTu7lQar5bhqEutiFaPlbGRh1dUbs7U1Qysc=
=mdDx
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------