The mailing list for listmasters using Sympa

[David Verdin <address@concealed>]

Hi Roger,

Le 05/03/14 22:11, Roger B.A. Klorese a écrit :

address@concealed">One of our uses uses McAfee SaaS (formerly MXlogic) for anti-spam/anti-malware processing of their email.

One of the things it does is attempt to identify phishing and other linked malware by following the links.

Unfortunately, this seems to be incompatible with the ticket system, since once the mail is checked and delivered to the user, the ticket link is already invalid...

Any suggestions?

Stop using McAfee SaaS.
I see no mean to prevent an authorized link of the mail expedition chain to use a web link. We don't know from where the one time ticket will be used.

address@concealed"> This is a pretty common anti-spam/anti-malware approach.

Yes, but I see a lot of disadvantages to this solution. For example (not exhaustive list) :

1. one-time links are also pretty common practices. Most of the website I subscribed recently send such links to activate accounts. We see here an interesting case where two security measures fight each other.
   
2. some tools use GET links to change the server state. This is bad, I know, but let a mail application muse around links can subsequently alter the server state (one time tickets grant authentication, so the antivirus could act on the server as an authenticated user - imagine if it is the admin). We don't know what kind of investigation will the antivirus do. Does it just check page content, does it explores the links it contains?
3. make links contained by emails automatically visited by the antivirus is a wonderful back-scattering tool for spam senders. They don't even need to put a spy pixel in mails, they just need to wait for people to install McAffe and get confirmation by the antivirus software that an  email address exist or not.
4. Finally, exploring links contained by emails is one step further against mails privacy but, well, we already need to read them to analyze their content, so it's not the worst aspect of this solution.
   

So the only solution I see is for you to encourage your users to change for another anti-phishing solution or, at least, to switch the "links visit functionnality" off.

All the best,

David

--
A bug in Sympa? Quick! To the bug tracker!

David Verdin Études et projets applicatifs
Tél : +33 2 23 23 69 71 Fax : +33 2 23 23 71 21   www.renater.fr	RENATER 263 Avenue du Gal Leclerc 35042 Rennes Cedex

Attachment: smime.p7s
Description: Signature cryptographique S/MIME