Terry Zink: Security Talk

Discussing Internet security in (mostly) plain English

Safety first! Right?

Safety first! Right?

  • Comments 10

I've been checking around some other anti-spam solutions and one of the selling points that they mention is that they do end-user whitelisting.  This is supposedly a selling point of the product - that the users can do individual whitelisting.  It's not the admins who only have the power, it is the users themselves.  By whitelisting, I mean that a user can say "Do not apply spam filtering to this user, or any mail from this domain."  Note that whitelisting applies to spam filtering, but not to virus filtering (but we can create spam rules that apply to viruses if we so choose).

This reminds me of an episode of the Simpsons.  Mr. Burns and his assistant Smithers are going into a high security area.  They both put their eyes into a retinal scanner, both have keys to unlock a series of huge blast doors and there is a ton of security that they have to go through.  When they finally get to the end of the tunnel of doors, there is a stray dog there who has walked in through an open screen door.  Burns replies "Oh, for heavens sake!" and kicks the dog, and it scrambles out of the room.  It is a very funny scene.

The joke is that Mr. Burns has all this massive security built up but it's all for nothing because they have a wide-open backdoor through which anyone can waltz in and access the secret area.  What's the point of having the security if you don't actually secure anything?

I tend to view end-user whitelisting the same way.  I can see if an admin wants to whitelist a particular end-user and domain.  The sysadmin needs the power to do that, but the decision to do that is centralized.  If end-users can whitelist whoever they want, I think that represents a security breach similar to Mr. Burns leaving the back door open.  Sysadmins know about network security (or at least they should), users do not.  Better to have the person who is in charge of security making the network security decisions than Joe in accounting wanting to get his X-rated newsletter.

As a spam analyst, I came to the position that if there is a weakness in your product, given enough users it will be discovered.  I can't count how many spam rules I've written or seen written that should have never hit legitimate messages hit a legitimate message.  For example, let's say we block a porn site only to have a law firm refer to it in a case and report that message as a false positive.  That porn site should never occur in legitimate messages, right?  It turns out that assumption was wrong.

My rule of thumb is that any security product you implement will have holes, so you should have backup systems in place in the event that weakness is found.  In my own personal view, allowing end-users to do their own whitelisting represents an exploitable weakness, and mark my words, it's only a matter of time before that weakness is exploited.  It's kind of like having a smoke alarm in every room in your house except the kitchen.

This should never cause a problem, right?  The odds are that it will be exploited are small.  However, given enough numbers, it's only a matter of time before something bad happens.  What happens if a virus breaks out and spoofs the whitelisted domain and dumps out the spam?  Some users are using our anti-spam solution, some are not.  Some users will get nailed with spam, others will not.  Some spam may be virus infected or link to an executable.  What happens then?

What do you all think?  Am I making much ado about nothing?  Or am I right to think that the risk of this feature exceeds the reward?

Leave a Comment
  • Please add 2 and 8 and type the answer here:
  • Post
  • What's never clearly defined in your post is the scope at which the user-assigned whitelisting applies.  If it's based on e.g. a (recipient, sender) pair so that mail from that sender is unfiltered only when delivered to that recipient, then I'd say yes, you are making too much ado, though not quite about nothing.  OTOH if every recipient can alter the whitelist for the entire protected entity, then you have a problem.

  • > If it's based on e.g. a (recipient, sender) pair so that mail from that sender is unfiltered only when delivered to that recipient, then I'd say yes, you are making too much ado, though not quite about nothing.

    Alright, I can go with that.  Perhaps I am seeing more than what there really is.

    Still, I have a bad feeling about this.

  • It also would depend on whether the sysadmin can set blacklists which override the end-user's filters. The point is that users can be stupid, but to let them do useful things, you have to give them some rope.

    That the same length of rope will let them hang themselves is no excuse for behaving otherwise. Delegate that responsibility off to someone who can make that decision.

  • Yahoo kicks every ACM Queue e-mail into my spam box.  I've caught more than 30 and reported every one as non-spam (which simultaneously moves the message to my inbox for downloading).

    I think Yahoo provides an option for whitelisting and I'll probably use it eventually.  I haven't used it yet because I hoped that more than 30 essentially identical reports of false positives would be enough, I hoped whitelisting wouldn't be necessary.

    Imagine if recognized spams were discarded instead of being findable.  No one would know about the false positives and whitelisting wouldn't even be usable.

    Sad fact:  whitelisting is necessary.

  • I think you're looking at it backwards.

    For anti-spam software, falsely reporting a legitimate message as spam is the WORST thing your software can do. Allowing one spam to get into the inbox is bad and annoying, but all the user has to do is hit "mark as spam" and the problem is solved. (Obviously things are a little different if it's a thousand spams getting into the inbox though).

    If a legit message gets reported as spam, the worst case is that the user never goes into their spam folder (I know I don't, would take too long) and never sees the message. What's the worst case of missing an email? It could end a relationship, destroy a career, lead to financial losses... anything really.

    Letting a spam through is not a security issue. Phishing or virus mail yes, spam no. The chain of severity of problems goes something like "security issue, dataloss issue, other issue". And a false positive is a dataloss issue.

    You simply MUST give users the tools to protect themselves against this. If I felt that my anti spam software was prioritizing "protecting" me from spams over and above making sure legitimate mails get through, I'd switch to different software in a heartbeat.

  • Fair enough, Stuart.

    On the other hand, you mention that the chain of severity problems is "Security, data loss, other".  This means that security is more important than data loss, yes?  But then you go on to say that you would consider data loss (of legitimate mail) to be a more important consideration than security (protecting from spam).  Isn't that a contradiction?

  • > Delegate that responsibility off to someone who can make that decision.

    Devdas,

    I don't have a problem with admins having the option to whitelist whoever they want.  But having individual end-users do it is akin too having a lot of cooks in the kitchen, especially if the domain has something like 20,000 users.  In my opinion, of course.

  • Norman,

    Whitelisting is quasi-necessary.  If an anti-spam company could get their false positives down very low then whitelisting's usefulness would be a lot lower.

    On the other hand, I've read studies that whitelisting of trusted domains cuts down on false positives by nearly 3/4.  That's a very significant amount and lets spam filters clamp down a lot more.

  • I've had a document sitting on my shelf (ie, the window-sill 10 feet away from my desk) for about 6 months

  • I've had a document sitting on my shelf (ie, the window-sill 10 feet away from my desk) for about

Page 1 of 1 (10 items)