Hi, We have a potential customer in the business of doing penetration testing, and they want to send penetration testing phishing emails authorized by a target company to that company's own employees.
If we allowed this in our network, I would require: (1) Evidence to our satisfaction that this was authorized by the target company (2) An X- header explaining what they are doing with a link to find more info (3) Use of a from address at a domain name like “whatever-company-name-is-phishing.com” -- which would have a web-page explaining what they do (4) The approval of our upstream's Abuse Desk. I’m considering also requiring: (5) Emails must be DKIM signed with a d= of the target company domain name. For example: From: f...@whatever-company-name-is-phishing.com To: emplo...@example.com DKIM-Signature: … d=example.com …. Thoughts? Are there best practices for something like this? Thanks, David Harris _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
