Hi Steve, On Aug 1, 2017, at 4:57 PM, Steve Atkins <st...@blighty.com> wrote: >> (2) An X- header explaining what they are doing with a link to find more info > > Reasonable. I might also require the contact information for someone inside > the target company - if the security people go into lockdown mode, why should > they trust what a malicious third-party is telling them?
Great idea! >> (5) Emails must be DKIM signed with a d= of the target company domain name. > > If this is a pen-test (as opposed to an employee training exercise) that's a > bit like > requiring your pen-tester to use the root passwords you give them. I'd push > back > against that, if the enterprise email filters are part of what I were testing. The goal is to test the employees, not the spam filtering or anti-phishing software. One thing I forgot to mention is that our customer would request that the target company whitelist the sending IP addresses in their spam filter, if possible. This is in everyone’s best interest so that the employees see the message and have the opportunity to be tested. Thank you, David Harris _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
