Am 28.06.2016 um 15:30 schrieb Sidney Markowitz:
You are right that social engineering can't be stopped by technology. The company should have procedures in place that provide the flexibility that CEO seems to need but will still prevent the fraud even in the face of successful social engineering. But there is no reason the mail setup has to allow spoofed headers From the company domain
if things only would be that easy ____________________________ blacklist_from *@your-bank.tld whitelist_auth *@your-bank.tldin theory that would stop any forgery, in real life i had to revert this after a big payment service using proper SPF then sent their newsletters with a external service, envelope of the external service but From header matching the blacklist_from preventing hit whitelist_auth
____________________________in fact to make such things working without breaking mailing-lists and what not else one would be required to use a dedicated subdomain for business-email which never is used outside the own network and *then* you can easily block any message with envelope or from-header touching your MX
but that would also require that the users understand "THIS address MUST NOT be used for anything then submission mail and use THIS email adress for mailing-lists and other things"
one can now come with "DKIM exists" - then look how often the DKIM check failed in the past up to become T_DKIM_INVALID as a testing rule because of too much false positives
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=6462
signature.asc
Description: OpenPGP digital signature
