1
Filtering needs: Whitelisting
Question asked by Douglas Foster - 9/25/2023 at 10:11 PM
Unanswered
Because Content Filtering uses heuristics, it is expected to produce some false positives.   These are handled with whitelisting rules which state, "Messages with this specific identifier configuration are exempt from (s0ome or all) content filtering."    

However, whitelisting becomes very dangerous if an attacker impersonates that identifier configuration and the evaluator does not require sender authentication.   But IETF says authentication is only defined if the sender chooses to configure a policy (and does so correctly).   This does not meet the evaluator's need to provide authentication anytime that a message source needs to be whitelisted.

Typical scenarios:

Example.com does not have an SPF policy, so their messages produce SPF NONE.  (Both SMTP Mail From and Message From are the same domain.)

Example.com just changed to Outlook.com, but failed to updated their SPF policy, so their messages produce SPF FAIL.  (Both SMTP Mail From and Message From are the same domain.)

Example.com uses SendGrid.net to send password resets for users of their website.  (SMTP Mail From is @SendGrid.net, while Message From is @Example.com.)   The messages fail DMARC, either because SendGrid.net is not configured with a DKIM signature for Example.com, or because Example.com has not published a DMARC policy at all.) 

Example@gmail.com is a small business that uses ConstantContact.com to send a newsletter which you find very useful.  (SMTP Mail From is @ConstantContact.com, while Message From is @Example.com.)  The message will always fail DMARC because Gmail.com never releases their DKIM selectors to third parties like ConstantContact.com

It would seem that any email filtering vendor which understands the filtering problem would recognize the need for safe whitelisting.   But I have had difficulty finding products that can do so.   Do you know of products that can handle any whitelisting scenario without allowing impersonation at the same time?

Reply to Thread