> On Aug 1, 2017, at 2:37 PM, David Harris <dhar...@drh.net> wrote: > > Hi, > > We have a potential customer in the business of doing penetration testing, > and they want to send penetration testing phishing emails authorized by a > target company to that company's own employees. > > If we allowed this in our network, I would require: > > (1) Evidence to our satisfaction that this was authorized by the target > company
In writing, from an officer of the target company, that satisfies your lawyers. > > (2) An X- header explaining what they are doing with a link to find more info Reasonable. I might also require the contact information for someone inside the target company - if the security people go into lockdown mode, why should they trust what a malicious third-party is telling them? > > (3) Use of a from address at a domain name like > “whatever-company-name-is-phishing.com” -- which would have a web-page > explaining what they do That would make the phishing much less likely to succeed, which is counter to the point of pen-testing. > > (4) The approval of our upstream's Abuse Desk. That'll be a fun conversation. :) > > I’m considering also requiring: > > (5) Emails must be DKIM signed with a d= of the target company domain name. If this is a pen-test (as opposed to an employee training exercise) that's a bit like requiring your pen-tester to use the root passwords you give them. I'd push back against that, if the enterprise email filters are part of what I were testing. > > For example: > > From: f...@whatever-company-name-is-phishing.com > To: emplo...@example.com > DKIM-Signature: … d=example.com …. > > Thoughts? Are there best practices for something like this? None of this is going to do much to mitigate the reputation impact on the IP address range it's sent from, unless you've also managed to negotiate a free pass from all the mail filtering and reputation providers used across the company. Best practice is probably to do it from somebody else's network space. I'd be wary about whether this is what your potential client intends. Cheers, Steve _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
