The mailing list for listmasters using Sympa

["Roger B.A. Klorese" <address@concealed>]

Let me preface this by saying I don't in any way mean this to be confrontational. I understand and respect your decisions if the following assumptions are true.

It feels like you assume that Sympa will be used in a circumstance in which the organization that implements Sympa also implements the email infrastructure, or at least, where the users of Sympa have some control over the email environment. And that is certainly what educational environments often look like, and, for that matter, what many corporate settings do as well.

But it doesn't work at all for organizations that are hosting lists and that have no relationship at all to the user-side email infrastructure, like a dedicated list-hosting provider. When our client organizations look at us, they expect us to be compatible with their email environments, not the other way around.

If control of the behavior of the user-side email environment is really a prerequisite for Sympa deployment, it would have been helpful to know it. It's a perfectly valid design point, but not one that works for every potential user.



On 3/6/14, 8:34 AM, David Verdin wrote:

address@concealed"> Hi Roger,

Le 05/03/14 22:11, Roger B.A. Klorese a écrit :

address@concealed">One of our uses uses McAfee SaaS (formerly MXlogic) for anti-spam/anti-malware processing of their email.

One of the things it does is attempt to identify phishing and other linked malware by following the links.

Unfortunately, this seems to be incompatible with the ticket system, since once the mail is checked and delivered to the user, the ticket link is already invalid...

Any suggestions?

Stop using McAfee SaaS.
I see no mean to prevent an authorized link of the mail expedition chain to use a web link. We don't know from where the one time ticket will be used.

address@concealed"> This is a pretty common anti-spam/anti-malware approach.

Yes, but I see a lot of disadvantages to this solution. For example (not exhaustive list) :

1. one-time links are also pretty common practices. Most of the website I subscribed recently send such links to activate accounts. We see here an interesting case where two security measures fight each other.
   
2. some tools use GET links to change the server state. This is bad, I know, but let a mail application muse around links can subsequently alter the server state (one time tickets grant authentication, so the antivirus could act on the server as an authenticated user - imagine if it is the admin). We don't know what kind of investigation will the antivirus do. Does it just check page content, does it explores the links it contains?
3. make links contained by emails automatically visited by the antivirus is a wonderful back-scattering tool for spam senders. They don't even need to put a spy pixel in mails, they just need to wait for people to install McAffe and get confirmation by the antivirus software that an  email address exist or not.
4. Finally, exploring links contained by emails is one step further against mails privacy but, well, we already need to read them to analyze their content, so it's not the worst aspect of this solution.
   

So the only solution I see is for you to encourage your users to change for another anti-phishing solution or, at least, to switch the "links visit functionnality" off.

All the best,

David

--
A bug in Sympa? Quick! To the bug tracker!

David Verdin Études et projets applicatifs
Tél : +33 2 23 23 69 71 Fax : +33 2 23 23 71 21   www.renater.fr	RENATER 263 Avenue du Gal Leclerc 35042 Rennes Cedex

Attachment: pngxeBIbZwKmd.png
Description: PNG image