Do you whitelist email senders
Posted by GriffGB@reddit | sysadmin | View on Reddit | 28 comments
Part of my role is managing our email system (mostly O365) and our Gateway filtering system.
It does a pretty good job at blocking emails, but occasionally an email gets blocked incorrectly for spam, and it's usually machine learning, likely due to the way someone has phrased things in the email. The usual request from the recipient is "to whitelist the sender".
I'm always reluctant to whitelist anyone, as we have in the past had compromised mailboxes from customers before, and I don't want to open us up if I don't have to.
I tend to release the email, and mark it as incorrectly blocked so it's less chance of being blocked. If we repeatedly block their emails and it doesn't look it's any specific reason, then I may look to white-list, but it's a last resort.
I just wondered what other sys admins take on whitelisting email addresses are?
GradeAccomplished322@reddit
Rarely, yes, I allowlist. Not even one address a month gets this treatment nowadays. I don't want to have to maintain the allowlist, mainly; the allowlists of old could be thousands of things and needed constant pruning. Nowadays it's almost always because someone has something goofy in their signature though (like a quoting a bad word or using some shady website to host a picture).
However the allowlist isn't immune to SPF checks, DMARC/DKIM, or malware checks; it just skips spam checks.
So if they have technical issues causing them to not be able to send us mail, it's on them to fix those, I'm not exposing thousands of users so jimmy can send us the pool cleaning bill from his unmaintained wix site.
One time, ONE TIME, there was a bank with a serious DNS problem and I did evil DNS things I will never speak of to allow it to work, but only because a CEO was willing to beg and the bank promised they'd have it fixed by next month (it took more like there months and i haven't forgiven them).
SuperfluousJuggler@reddit
The % of BEC based phishing we get far outweighs actual malicious email with payloads. Whoever wants a whitelisted email (single or domain) needs to sign a risk acceptance form and take all the responsibility.
Confident_Guide_3866@reddit
Yes, but only on a very limited subset of addresses that the CEO absolutely requires that they never be blocked
DiggyTroll@reddit
Even then, we still quarantine emails based on attachment types and risk score. Lots of executive's friends/family seem to be vulnerable to scammers. Maybe it's a rich person thing?
mineral_minion@reddit
That's who I would target if I were trying to scam people.
Confident_Guide_3866@reddit
Yeah we tried that once, the first time a Wells Fargo email (that was legit) got caught up it was game over with the ceo
highroller038@reddit
Never whitelist. Your suspicion is right - trusted vendors and contacts can become compromised and you don't want to be vulnerable to them in the future. If their emails are going to junk folder or quarantine, tell them to stop sending phishy looking emails. If your email looks malicious, it will be treated as such.
Your email filtering should indicate WHY the email was classified as dangerous and you can make narrow exceptions to prevent those issues going forward.
LeidaStars@reddit
no, I don't
FatBook-Air@reddit
We do. Just to add one thing: don't let anyone tell you this is an easy problem to fix. Nobody -- and I do nobody -- has this completely figured out. Sometimes, people give heavy-handed advice on spam handling, and those people are probably new to IT. It's a hard, never-ending problem.
thekohlhauff@reddit
It was a constant problem when using SEG. Not nearly as a big of a problem with the api based solutions.
OregonTechHead@reddit
Create a rule for specific email addresses or domains that bypass the spam filter.
This fixes that problem while still protecting against phishing, malicious attachments, etc
New-Potential-7916@reddit
We're currently battling this from the other side. We send upwards of 750,000+ emails a month. Recently we've had huge issues with any emails going to domains hosted on office365.
They're being flagged as phishing emails, but they're all just legitimate one time login links. They're all transactional and we have never done bulk email marketing, or anything else that might make us appear on a spam list. SPF and DKIM checks always pass, dmarc is configured. But still we're getting marked as spam.
The advice from Microsoft was to update our email subject and contents to make them "look less like phishing" which is laughable, the scammers try to make their emails look legit so now I have to make my legit emails look less like legit emails...
It's gotten to the point where we are advising clients to whitelist our emails, but I also understand that many aren't going to want to do that.
thekohlhauff@reddit
Whitelisting is asking for a BEC to come to you.
JLee50@reddit
No. I’ll exempt some from certain flags, eg impersonation detection for Adobe Sign because they are like “this email is from Jane Doe” when it isn’t, but I’m not blanket whitelisting something. I’ve had multiple occurrences of “please release this email from quarantine because it’s a known vendor” when that vendor was compromised and it was phishing / malware.
BaconEatingChamp@reddit
Same. For example we block "graymail" as well which can have a decent chunk of mail we actually want to come through. We may add a sender to bypass this but still check against spam, malware, etc
TravisVZ@reddit
A while back we had 3 compromised accounts that we were able to trace to a specific email sent by a partner. Turns out, said partner had only a single part-time IT guy, who missed the multiple announcements about a critical Exchange vulnerability; the bad guys compromised their entire server. The sheer amount of extremely targeted phishing coming from them forced me to block their domain entirely, and no one over there was answering their phones so I finally had to fax them to let them know they were compromised. Even then they were compromised another 7 times over the next two months because their IT guy only installed patches and didn't fully resolve the actual compromise. Had to quarantine everything from them until I was finally able to convince them they had to rebuild the entire server from scratch.
Why is this relevant? Because two days before they got compromised, one of our users asked me to whitelist them. Not because anything had been blocked, but because the partner had asked for it just in case something in the future did get blocked. Because I held the line and refused to do so, some of the phishing sent from their compromised server did get blocked, potentially saving several other accounts from being compromised.
The good news out of all of this is that when someone demands I whitelist some domain, I can point to this incident - it's no longer me arguing from hypotheticals, it literally happened, multiple times, and would have been so much worse if they'd been whitelisted!
I also instituted a policy (by saying it is policy and no one has argued) that besides whitelisting being a last resort to deal with actual issues, never something we do preemptively, to even be eligible for it a domain has to have SPF with hard fail
-aand DMARC set to at leastp=quarantine. My argument being that if we're going to bypass our security for a domain, we have to at least be able to verify that it actually comes from that domain. This one rule has stopped more requests than I can count.Old_Ad_208@reddit
Only a very few email addresses are whitelisted. We tell the user to put the address on their personal whitelist if they don't want it going to their junk folder.
ExceptionEX@reddit
The only whitelisting we do are from expected, known automated emails.
If users or companies are getting flagged its likely for good reason and it rarely some machine learning error, its things like they are in fact over sending bulk messages, or don't have their setup correctly configured.
techb00mer@reddit
I remember back in the day when I was running a large mail gateway for a hosting provider, processing tens of millions of emails every day, customers would regularly ask for emails to be added to an allowlist so the emails would always get through. All we ever did was disable spam scamming on this emails. If it has phishing URL’s, malware/virus signatures etc it would still get blocked.
Never fully allow any email.
purplemonkeymad@reddit
Agreed, Whenever i'm asked for this I always ask for bounce messages, so I can exclude from that one filter/check not for everything.
Long_Experience_9377@reddit
No, we don't whitelist as a rule. But there are always exceptions - typically for system-generated business email that we can't get the sender to resolve their SPF and such issues. Those cases are very rare. But that doesn't stop the requests. What I love is when they request whitelisting for things that are actually legitimate issues. Like, one guy wasn't getting an email with PDF attachments he was expecting and wanted us to whitelist the sender. Turns out one of the attachments was already flagged as malicious by VirusTotal for having trojan-like content, and the mail filter was doing its job. So we end up having to patiently explain why it got blocked and what his options were. Not even a "thank you" or anything, they just drift off into the abyss until next time.
PlennieWingo@reddit
"drift off into the abyss" I have to remember that one
DirectorPr@reddit
We use Mimecast so everyone can trust particular senders and domains letting them have an easier time getting through some of the more touch and go sensors and scans like spam.
As for permitting on the administrative side I usually look at a criteria of does this sender communicate frequently with us, do they communicate with a lot of users, and are they hitting any particular filter such as attachment filtering, spam, DMARC/DKIM/SPF checks, and url filtering?
Then I make either a targeted exemption for the scanning/rule they’re failing for the department or user they need. If it’s something their IT team can fix such as verification checks I escalate it back to the user with advisement that the sender’s IT has to correct the issue, but on a case by case basis we can allow the emails after scrutiny.
I think being hesitant to whitelist isn’t a bad thing. You do have to prioritize business operations at the end of the day, but you also make the best educated move with your tools to secure the means. Also it may help to write documentation to guide users on how to better submit these requests like what I outlined above, “How frequent are communications between you and this sender? Do they communicate with multiple people in the org? Etc.”
bonksnp@reddit
We have Mimecast also and this is pretty much how we look at it. If we do add an exception it's from one specific email to another.
Also something that OP sort of glossed over but you mentioned, "whitelisting" might mean allowing them to bypass DMARC/DKIM/SPF but still filtering for all other criteria. Or it might mean bypassing all email security altogether. It just depends on how it's configured in the email security platform.
Most platforms have separate policies for DMARC/DKIM/SPF failures, impersonation, malicious urls, malicious attachments, and about 50 other things that you can allow access for but still keep security on everything else.
So I wouldn't say whitelisting is necessarily a bad thing as long as you understand what security is getting bypassed and what security is remaining in place.
plump-lamp@reddit
Mimecast has managed senders. If someone sent an email to that address, it becomes trusted and goes around spam. Still subject to malicious inspection.
dai_webb@reddit
No, we don't allow whitelists - even the people we trust can, and do, still get compromised and send out messages with malicious links. It happened yesterday - 10 minutes after receiving an email from a client with a malicious link they confirmed the account was compromised.
3sysadmin3@reddit
We used TABL to allow list senders which helps train the AI but wouldn't allow through phish from sender (allegedly). Works great in tandem with users requesting for release.
I wouldn't use transport allow listing or bypass spam/phish protection on senders except in extreme cases. We do have a transport rule set up so rules about food recalls don't ever get caught b/c we can't afford for those to be sitting in quarantine and we're reasonably sure the sending address is secured as much as we can hope.
Lukage@reddit
Yes, but you still apply your DLP, scans, etc to those email.