While some pen testing companies who do that want to make it as
realistic as possible (phishing emails, eg in the same manner a villain
would do) it depends on the target employees that they are trying to
'phish' test..
Normal employees are not sophisticated, and the content alone is enough.
Unless the pen testing company was testing another security company, or
very tech savvy targets, I would do the following:
* Add a TXT record clearly showing the purpose.
* Use a separate domain/sub-domain
* Have the PTR record from the sending server CLEARLY spell out.
-- PTR pentest.legitimatedomain.com
* Ensure that there is an ab...@phishdomain.com
* Have accurate SWIP/rwhois for the IP in question, with clear COMMENT
section
* Have the whois record for the phishdomain clearly show legitimacy
* Have an associated website matching the phishdomain.
However, in general the later is probably part of the pen test. Simply
going to the site, might actually be the exploit, or it might add to the
legitimacy.
A tough one.. but I would really suggest that you get a legal disclaimer
from the target company, with the ability to confirm that the target
indeed registered the disclaimer.
But of course, the 'obvious' question, is why they are looking to use
your network ;) If they are a pen testing company without their own IP
space, did they just set up shop?
Social Engineering can be used just as easily against you, as the
targets.. Sounds like something a Kevin Mitnick might invent..
On 17-08-01 02:37 PM, David Harris wrote:
Hi,
We have a potential customer in the business of doing penetration testing, and
they want to send penetration testing phishing emails authorized by a target
company to that company's own employees.
If we allowed this in our network, I would require:
(1) Evidence to our satisfaction that this was authorized by the target company
(2) An X- header explaining what they are doing with a link to find more info
(3) Use of a from address at a domain name like
“whatever-company-name-is-phishing.com” -- which would have a web-page
explaining what they do
(4) The approval of our upstream's Abuse Desk.
I’m considering also requiring:
(5) Emails must be DKIM signed with a d= of the target company domain name.
For example:
From: f...@whatever-company-name-is-phishing.com
To: emplo...@example.com
DKIM-Signature: … d=example.com ….
Thoughts? Are there best practices for something like this?
Thanks,
David Harris
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
------------------------------------------------------------------------
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
