Security Basics mailing list archives
Re: Spam prevention vs mitigation
From: Champ Clark III <cclark () quadrantsec com>
Date: Thu, 12 Apr 2012 17:56:16 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On thing to keep in mind (from my own personal experience). "You can please some of the people some of the time, but you can't please all the people all of the time". That is; If you make the filters to restrictive, expect calls about people "not getting mail". If you don't make them restrictive enough, then expect calls that people are getting spam. I've _literally_ within a few minute period gotten two calls. One person stating that, "You're spam filtering policy it to strict! We're not getting some emails!". Then 5 minutes later, get a call from the _same_ organization stating, "I'm getting to much spam, can't you make the filters _more strict_!". Damned if you do, damned if you don't. You can only try to walk to fine line as best you can. Typically I even explain this to people who are complaining. If they're complaining about getting a handful of spams (or worst yet, crap mailing list they signed up for unknowingly), it makes me want to scream. Since they don't "see" the spam they're not getting (usually), you can offer to "turn if off for a day" and see how they feel about it ! :) On 4/12/12 1:37 PM, Todd Haverkos wrote:
Steve Sirag <stevesirag () gmail com> writes:Hi, My bosses are demanding 100% spam prevention,Tell them some guy on the Internet said that the only way to do that is shut down the email server. I'll be your fall guy.and I'd like to find some industry papers, articles, etc that explains why that's not advisable (if even possible). My understanding is that spam mitigation is the goal, keeping spam down to where it's not a distraction from business. Our current spam level is roughly 3-6 spams received per user per day. That seems manageable to me, but I'd like the extra ammunition going into the meeting. Can anyone help?If you were to try to make that argument, the counterpoint would be "Okay, what if the 6 that get through are phishes that have malicious links to recently registered domains or have malicious attachments that invariably people will click on, that leverage exploits for things the machine isn't patched against, and they lead to compromises of the local machine because no one has done the hard work and planning it takes to strip users of local admin rights?" And then parlay this discussion into perhaps getting some funding to do user education about security threats and how to respond, do some shootouts of new gateway mail solutions (that may have AV and threat protection that looks at more than just signatures of attachments), web gateway solutions that look at IP, URL reputation as well as scan for malware, privileged identity management solutions as well as political capital to wrestle admin privs away from users who don't need it, and for those who have it, make sure they can't be sufing the web while logged in as admin? Leave no crisis unexploited. :-) That said, what's acceptable risk to business will vary by business. You can make the case with simple logic that no signature based classifier will achieve 0 false negatives without also generating false positives--ask if they're willing for business critical email to get caught up in the spam filter, and if it does will your current solution give end users a way to retrieve it? The story is the same in AV land -- if AV heuristics trying to catch unknown and suspicious files are tuned too tight, legit files invariably end up getting blocked. The inconvenience of those 5 or 6 emails a day is the lesser concern to the likelihood of compromise an email received by a typical user that contains a malicious link or attachment. That said, I think it's safe to say that over the past weeks, the incoming volume of phishing like this has surely been on the uptick. Best Regards, -- Todd Haverkos, LPT MsCompE http://haverkos.com/ ------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
- ------------------------------------------------------------------------
- -- - - Champ Clark III (cclark () quadrantsec com) Quadrant Information Security (http://quadrantsec.com) Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A GPG Key ID: 0381878A -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPh0+AAAoJENnmXt7Lmc3KXV8IAJIIwhbzK36aa4OV7poLBWyA v1aYiGIOYd3CRX6jNS6y18JQSMW/ukqQNpAlYxhdfctrC6OeDoXWjeHDWMeSSZ45 E448V0zCVV7Oa9rUuUKLo07nOeh8FUfEn0Uhq6GlZ56QwFOIj0M4cp25rI7b9g4M 3FJATOt+H8YmV4GgNkL21xA6t1TIf5pHMc4EOtXB0JlCBrYkzNhEUgKfer3MobP5 jLfw6Oc7g0BVdHXlWt5Vwii2/6Aa+3v9fLrwtiUPLLQongeQfdZS36GzwIEeQjJD VxMKu5Da7zXeNmiY7si4JYFwWT0bTu7lQar5bhqEutiFaPlbGRh1dUbs7U1Qysc= =mdDx -----END PGP SIGNATURE----- ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Spam prevention vs mitigation Steve Sirag (Apr 12)
- RE: Spam prevention vs mitigation Ivan Carlos (Apr 12)
- Re: Spam prevention vs mitigation List Man (Apr 12)
- RE: Spam prevention vs mitigation Erik Soosalu (Apr 12)
- Re: Spam prevention vs mitigation Champ Clark III (Apr 12)
- RE: Spam prevention vs mitigation Steve Melcher (Apr 12)
- Re: Spam prevention vs mitigation Clint Davis (Apr 12)
- Re: Spam prevention vs mitigation Champ Clark III (Apr 12)
- RE: Spam prevention vs mitigation Gillmer, Renier, VF-NZ (Apr 15)
- Re: Spam prevention vs mitigation Champ Clark III (Apr 12)
- Re: Spam prevention vs mitigation Todd Haverkos (Apr 12)
- Re: Spam prevention vs mitigation Champ Clark III (Apr 12)
- RE: Spam prevention vs mitigation Joseph Laico (Apr 12)
- Re: Spam prevention vs mitigation Ansgar Wiechers (Apr 15)
- RE: Spam prevention vs mitigation Mike Saldivar (Apr 15)
- <Possible follow-ups>
- RE: Spam prevention vs mitigation Vincent Yeo (Apr 15)
- Re: Spam prevention vs mitigation kartik . netsec (Apr 15)
- Re: Spam prevention vs mitigation rmassanet (Apr 16)
- Re: Spam prevention vs mitigation David Gillett (Apr 18)
- Re: Spam prevention vs mitigation Michael Painter (Apr 19)