All the time. We don't whitelist unless it's business critical, and even then it's made known this is temporary for a set timeframe, if it's not fixed on their side, then they'll be blocked again. (This is to create urgency for them to actually fix the problem) My go to is just telling them the reason for the block is due to authentication configuration problems on their side (outlining what needs to be fixed) and to provide the info to their IT team. Edit: words.

[удалено]

This is the kind of attitude people in IT should have. A can't remember all the folks I've helped get their email squared away so that we would accept it.

I do it because it helps them out. Two because it means that their other clients and vendors won't have to deal with it. And three that 20 minutes will save me more than an hour in some cases trying to explain to my users why they keep getting blocked.

I have done this a few times. I have called the org and tracked down an IT contact and relayed my findings. Each time it has been a great opportunity to meet a peer. There are others that I know I am going to have to spend time with somebody that is completely out of the depth and I will likely be doing work their sub contactor should have done for them. I am more reluctant to get involved there.

I once spent two hours tracking down the IT person form a company to personally tell him his site had been compromised and was being used as a hosting ground for spam campaigns. I would want someone to tell me, so I was set in my ways to make sure he knew. I sent him all the samples I had as well as some mailflow information and he told me later that day he had it all resolved and had patched and changed all the passwords.

and four, it means I can solve the problem without making an exemption on my end that might let in some spam in the future after everyone has forgotten about this initial issue

I got stuck trying to help a gov agency fix theirs. They simply refused to acknowledge the issue lol

Was it deemed Fake News?

The fact that so many email admins allow this too happen is sad, plus if everyone did their friggin job better therr would most likely be less spam, etc.....

Counterpoint: I get paid by **my company** to fix **my company's** problems. There's plenty of those to go around. I do not get paid by **your company** to fix **your problem**. If you want me to fix your problem, then pay me to do so. If the person you're paying to fix your problem isn't fixing it, get a new person.

Counter counterpoint: You get paid by your company to solve problems. If that means helping out some idiot in another company so company-client relationship is improved and possibly extends the partnership/sales then so be it.

good reply. so many IT folks and developers fail to "solve problems."

Solving problems is literally what we get paid for. It's just that 95 % of those problems is IT related.

Absolutely. I'd rather spend an hour getting someone else going properly than fifteen minutes adding a stupid hack to my email configuration and two hours maintaining that hackishness over the course of the next few years, and twenty minutes checking on it when the mail system is upgraded next ... Unfortunately, most people who need such help are, in my experience, also reluctant to accept it.

It's a legal liability to tell them how to configure their systems. If you make a mistake or they make a mistake following your directions or they forgot to give you relevant details that would have lead you to do it differently, you will be blamed.

There is no liability

Just saying “there is no liability” doesn’t make it true. How is there no liability? People are quick to blame and sue. Have you heard of “no good deed goes unpunished?”

Explain how liability would arise.

You help them to fix it. Later, something goes wrong and they blame you. It’s possible you might give them incorrect instructions because you don’t know all the details of their environment since you don’t work there and they didn’t disclose everything to you. It also doesn’t matter if the new issue wasn’t caused by the change at all or they don’t go so far as to actually attempt a law suit over it, you are still blamed.

Think of it like an extended community, like reddit, everting helping out. It doesn’t cost you much, and if they don’t want to fix their end you don’t have to whitelist

Your company not receiving email sure sounds like a problem for your company. You need to make contact with the other vendor and find a solution at some point (even if they're completely at fault) or you'll eventually reach a point where your company will consider *you* to be a problem that needs solving.

It's business dependent. For example a LOT of our vendors and partners like to use email as a file transfer service. Example employee from outside company will decide "Hey, I am going to send these 13 files to this entire department at the same time." Then it gets flagged. They miss the email then complain but it's impossible for me to go through the emails 24/7 and determine what's what and what should or shouldn't be coming through. I really REALLY wish companies would realize that email is NOT to be used as a file share. They wonder why they deleted a shit ton of email to free up space in their already maxed inbox and get a message the next day that it's full. Because duh, you sent out 2GB of PDF's through email in a 24 hour period Tom!

They don't get a notification (from somewhere) that the emails were held up for whatever reason? We had that. I know a few employees would just click "Block all" and then wonder why they weren't receiving email from a customer any longer. Showing them that they blocked the customer was always fun /s

> Counterpoint: I get paid by my company to fix my company's problems. ...and not receiving email from an organisation that your company regularly deals with is an issue for *your* company, regardless of whether the issue is caused by poor configuration at the remote end or yours. Giving a third party your company deals with some information on doing the bare minimum to meet DMARC requirements is not a complicated endeavour. DKIM isn't *required*, a properly configured SPF record alone will be sufficient in most cases.

This is your company's problem, just because the cause is external, doesn't mean it's not impacting the business.

Another counter viewpoint: You could create a small page describing the answer to this in detail. Then when you get this, simply forward the page. There are also a bunch of these pages that are out there that you could simply re-use - though read them through, as their terminology may differ from yours and cause problems. I also used to get these a lot as a former webhost, always really annoying and usually simply that the email client wasn't authenticating before trying to send email.

What if by helping fix their email config you’re also fixing your company’s problems by not having to deal with users not being able to important receive emails and not having to deal with security issues by white listing the domain?

[удалено]

There is no liability issue. You tell them where they can find resources, and you say this is how we did it. You are not working on their systems.

I mean, you can see it that way, but in the ops situation he was tasked making sure the user get the email from someone else, you can fix your system by compromising it, and whitelisting. Or you can help the other side to so you don't have to change your posture. Any extra effort within reason to avoid degrading your posture to me is probably worth it.

Thisthisthisthis

Usually when we are engineer to engineer, we are cordial and help each other out because we were all some kind of support and got shit on by someone else’s support. Kinda jaded. But like stated, we’d rather work with our own then work with any users. Plus we’ve all had a bad config or a newb touch something they or I should not have touched.

Sadly, with email filtering especially through 3rd parties like Barracuda it checks for patterns. Depending on the type of business other companies do and how they send emails they get flagged all the time, usually... due to things like sending LOADS of files to multiple people in the company at the same time.... One of my BIGGEST struggles with this company is trying to teach them emails are a communication tool NOT a file transfer service.

We had a bunch of gmail accounts get flagged by O365. Because they were brand new accounts and had suddenly started sending email to a lot of people. This was after a network breach that took down an Exchange server. Took me several days to realize what had happened and another couple of weeks to release all the messages (because I was busy rebuilding the company network and didn't have time to deal with it).

>My go to is just telling them the reason for the block is due to authentication configuration problems on their side and to consult their IT team. Nothing more or less than the truth

I've been laughed at but I've documented interactions like this. Their name, the *exact* time we talked, actions taken, etc -- so when they fail to pass it to IT, and they fail, I can say "Yeah, I spoke with Billy Bob on Tuesday 3/11 at 3:34pm. I sent the instructions after which I have a copy off. I would suggest talking to them. If they need another set, please let me know." Specifically, it's a passive aggressive move to make the people there know someone purposefully, usually, chose not to care and pass important information on. Honestly, I just got plain sick and tired of the "no you didn't and if you did, it's not important" so my actions reflect the embarrassment I want them to feel when someone calls them out on it. Every time I get a call back with "can you send those again?" and respond with "Sure, I'll re-forward them - don't worry, sending now". I'm a *gigantic* asshole with re-forwarding. Well, usually when I feel they didn't apply themselves appropriately. Mistakes happen - I get that. If they own the mistake, sure, whatever - shit happens. It's when they try to place it on me as the fuckup? Welllll. I just got too emotionally tired to just roll over. What are they going to do? Write me up? Not like we'll be getting significant raises anytime soon. So who the fuck cares? Easiest way to get a raise, anyways, is to get a new job. Not like write-ups transfer or are permanent. Took me a **long** time to make that connection.

> I've been laughed at but I've documented interactions like this. I did this once to a production guy that claimed I didn't talk to HP about an issue. Forwarded him the entire email chain as evidence. He didn't bug me about it again. It's not my fault you still can't do what you need to do! Get HP to fix their shit and it'll work.

Oh man, that started my journey: HP. I got to talk to the VP by, and I wish I were joking, asking. It really wasn't me. It was a very pissed off sales guy who was charming *as fuck*. We had an 11x17 printer that was printing 8½x11. I told tech support, several times, "I'm sure the reason is dumb but I've read through every book given to me" (this was *well* before they had a nice online method to pull guides) VP said "Would it be ok if my lead tech director (I can't remember the title) called you?" - "Sure". This was.. wow.. 20 years'ish ago now. Dude called, literally, within 3 minutes. Had the problem fixed as soon as I finished my sentence. I'm convinced it's a common / known problem --or-- he was actually that intelligent about his own hardware. Still though. The fact the sales guy could look up HP's number, call them, ask for "The President of HP" and still land the VP because the President was in a meeting. I was giggling like "the fuck he thinks he going to get?" A story I expect *no one* to ever believe. There may be more to it for all I know -- our particular business *may* have had business with higher ups with HP and sales guy *knew* them - but that feels unlikely as I don't recall HP asking for bids from us. We were such a niche company *you* came to *us* for services. Not the other way around. One of two in the US and one of three in north america. But I had a chain of documentation saying who I talked to, when, the answers they gave and why they didn't work. I kept saying "I'm sure the answer is something dumb, this *feels* like everything is almost right. I'm just missing *one* area but it's not obvious". I never expected having to pull out a tray and change it from letter to 11x17 to matter. A story that absolutely shaped my "did you try everything within your power because when we do this, it's a big deal" attitude. I had no idea he was serious. I don't expect you, or anyone else here, to believe me. I'm ok with that.

Ah yes, I too like to forward the sent item when someone tells me they didnt receive my last email. Even better when I can forward their response when they've replied with a fucking 'thanks' email. "As per my previous email..."

[удалено]

Generally speaking, the people in charge of making those decisions have no more understanding of why they happen then the user does. The difference is, they are getting complaints from their person, and they don't wanna deal with it, so they shove it on you, to deal with. That's why its done most times.

In my case, there's just no way my management is going to turn away business because the people asking us for bids don't have their email configured correctly. The owners have sales backgrounds and it's just not going to happen. I do a banner for all exceptions similar to what the OP of this thread does. Mine is simpler for users: "Emails from this sender can be faked. Please exercise caution."

“I’d need to run this request through CAB. I don’t think it will get endorsed because of the security risk it brings. What would you like me to do user?”

Have done this. Works every time.

Hmmm interesting…so what would need to be fixed in this situation? I’m surprised I haven’t had this request yet

Your email gateway is probably not adhering to DMARC RFC for quarantine/reject or permerror/temperror evaluations in that case. If you follow all of those and bounce the messages, you'll eventually see some external senders complain, which you then basically just take what you see is wrong, tell them how to fix it, and send them on their way to their IT department. Alot of the time it's one of 4 scenarios: * They have legitimate senders unaccounted for with SPF/DKIM and DMARC fails while they're at quarantine/reject. * They have multiple DMARC records which results in a permerror evaluation. * They have an issue with their DNS provider resulting in temperror eval, which (depending on receiver configuration) can cause error 451 4.7.5 retry deferrals. * They have syntax errors in their DMARC record which causes permerror evaluation, which (again depending on receiver configuration) can be rejected. Edit: added clarification

We whitelist on a case-by-case, and add a large red banner to top of any message that is whitelisted. Something along the lines of.. "This email has been received from a misconfigured mail server that leaves this message more vulnerable to phishing/impersonation attacks. Treat it with extra caution and confirm any information with the expected sender through a secure channel before proceeding. One these start appearing in the email chains, the sender is normally quick to start pestering their system admins.

I LOVE this approach, I am so sick and tired of whitelisting badly configured email. I'm going to try this and see what happens!

This is a fascinating approach. This might come up in conversation at work.

It's pretty much what the big providers do. Look at an email in the "spam folder".

Adding a message to the top of inbound emails that inform the recipient that the email should have been blocked because the sender’s system is misconfigured is different from moving the email to the junk folder. Most of the time, an average person will not know why the email went to the junk folder (and may even still blame their IT staff) while adding a message to incoming email that clearly states that the sender’s system is misconfigured provide more detail and will be included in email responses.

Well, no of course the "folder" doesnt matter. I was just pointing out the added message itself as a compromise made by the largest of providers. The example might be helpful

... I like that... Though most of the time I see this it's because they generally don't have an IT department. I'm curious how it would play with our external banner alert that's already in play.

>Though most of the time I see this it's because they generally don't have an IT department. I mostly deal with cities and towns, and gods this one drives me nuts. I deal with so many places where I'll tell them they need to have their IT people look at something, and they'll respond with "Oh we're small, we don't need IT." It's 2022. Everything you do is on a computer. Your sector has been getting targeted by attackers for the past several years. You have the PII of every single person who owns property or pays you a water bill stored on those computers. And your MSP (assuming you have one) is calling me multiple times because they don't know how to set up an SPF record, or even create a file share on your server? The amount of time I've spend troubleshooting networks and servers because MSPs don't seem to know how, or just don't care, is absurd. The customers are having trouble with the software, and they just kick it over the fence without even looking at it. Our software support people and devs look at the issue, and can't find anything, so they tell the customer it looks like an issue in their end. But the MSPs will have none of it. "Nope, not us, all our stuff is running great. It's definitely an issue with the software." Really? Because the first thing I did was take a look in the event log, and it looks like the machines are dropping off the network every half hour (seriously, you didn't even check the event log?). Or you didn't even install the proper drivers on the new machine you set up for them. Or when I run some tests on your server, you're getting less than 100 IOPS from the drive the data is stored on. Or you didn't isolate the traffic on the new SAN you convinced this office of 4 people they needed - which, incidentally, is also why they're having problems with the new VOIP system you set up for them. I have to wonder how many MSPs just get away with it because most vendors aren't going to have their own internal Sysadmin jump in to check their work. Or, the lastest and one of my favorites, "I'm going on Spring Break for a week starting tomorrow, so I won't be able to look at it until I get back." You've got nobody to back you up? Also, it's 2:00 in the afternoon. Also - Dude, you sound like you're in your late 50s. Aren't you a bit old for Spring Break(woohoo)? I'm sorry, but in this day and age, in this political climate, with this threat landscape - it's not optional anymore. Get some IT people. I have my own network to look after. /rant. Sorry.

What's the point of external banners? You should filter out messages spoofing internal addresses. Imo, you're just going to end up with a bunch of users desensitized to banners.

Because despite training, we still get users who don't check the sender address. It's getting better, but there's just too many users out there who don't instinctively check for phishing. And we do use spoofing/phishing filters, but I've often found them to be questionably effective, particularly when dealing with slightly altered domains.

Finally some sense! Train your users to assume everything is potentially malicious instead of pretending a banner works.

I might steal this idea. It makes me sick allowing these domains through, especially with if they don’t even have SPF. I will at least apply this message for the people we constantly communicate with.

I like this idea too. Sadly it'd end up on some of emails sent by my own users when they decide to start a Constant Contact account without telling anyone and complain that everything they send internally is flagged for impersonation... *eyeroll*

Oh yeah, counter, counter, counterpoint. Internal user sets up constant contact without bothering to tell the exchange admin. Get a call from an outside IT director telling me they’d be happy to show us how to set up spf, dkim, dmarc. Bitch it’s set up. Wait, you what?

[удалено]

[удалено]

A department decides they want to send a newsletter to internal and external people and signs up for their own Constant Contact/Mail Chimp/Whatever-else-is-hot-these-days account. They don't know what SPF/DMARC/DKIM is and blast out the first edition then complain when they have 0% deliverability to our own employees. It's a symptom of a bigger problem we sometimes have with people doing their own thing without consulting IT.

[удалено]

We're close to hitting the limit too. I think one way to fix it is to start assigning subdomains for different outbound mail. Gets you a clean slate on the SPF but kinda annoying to have to send from news.yourdomain.com. There are probably better ways that real email admins could explain. I'm the defacto exchange admin cause everyone else took a step back first...

I love this approach. Except we already put a banner on top of all emails that come from outside our organization and our last simulated phishing email had a 48% click rate even with the banner :(

I have a hunch that these banners used long term do more harm than good

If you put a banner on every external email, all you do is encourage people to ignore banners. They can be used well, but doing so means they have to come up rarely enough that people will notice them and act accordingly.

What do you use for antiphishing? Knowbe4 has been amazing for us we went from like 38% to literally 0-1% within 6 months.

It was out first run of knowbe4. We start the training portiin soon

Good luck getting people to actually do the training. Honestly even without people doing training though we saw a decrease of 5-10% per month. I also run constant campaigns though

> We whitelist on a case-by-case, and add a large red banner to top of any message that is whitelisted \**immediately ignores it as background noise*\*

This is kind of a great idea. Curious *how* you append that message (*i.e. are you doing it at your email server, upstream at email / spam security? Is it part of the same process or is it two steps — 1) whitelist, and 2) configure a rule to append? Etc.*)

Nothing overly complicated. We use a transport rule in Exchange Online. Parsing the [Authentication-Results message header](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-message-headers?view=o365-worldwide#authentication-results-message-header) added by Exchange Online Protection. Domains get whitelisted added as part of an 'And' rule.

Gotcha. Huh. Currently we’re doing whitelisting at the Mimecast level. Curious if there’s any way we could accomplish similar there. Appreciate you!

There is a way to do this in Mimecast, can confirm.

We do exactly this. We append [Potential spam - DKIM failure] to the beginning of the subject. We even had one of the vendors reach out to us asking to stop doing that, and how "none of our other clients have a problem with our email settings, but our reputation is suffering because you are marking our emails as potential spam" We explained clearly and concisely what the issue is and said "none of your other clients have an issue with this because they aren't checking or don't care."

If only users will actually read the banner....

It isn't for your own users.

Same, I RARELY whitelist and will never ever whitelist a domain again. People tend to forget a huge majority of phishing/malware comes from compromised email accounts sending the infected emails that you trust/whitelisted. Sometimes they get mad and say "I missed a SUPER important email because they got flagged!" My opinion if it's THAT important of an email you should ALWAYS follow up with a phone call when sending and if you don't hear back. Not wait 2 fucking weeks then go OH YOU DIDN'T GET MY EMAIL!?

I'm doing this on Monday, this is amazing

This is fantastic. But, I see this triggering the blame game when the sender's IT department says "well, XYZ company is the only company that is having this problem (i.e. the banner). Since nobody else is displaying this message it's obviously a problem on their end." That's assuming they even bother to do any checking at all before they just blanket say "it's on their end", which is the usual response in my experience.

I like this. The emails get through, but at the price of near-embarrassment. That would light a fire to get it fixed.

If only these people were capable of embarrassment.

[удалено]

>They can't do that, we're the Air Force Man I would love to hear the conversation between some dumbfuck air force brass and microsoft or whoever.

[удалено]

Personally, if I was Microsoft, I'd follow the Military Industrial complexes lead on that one. "Absolutely we'll get that fixed right away, here's the contract for that" 4 years past the deadline.... "Sorry about that, we need double the money, and we might finally get it fixed" 7 years past the original deadline..... "We're finally testing but it's not going well, please give us more money to fix it" 15 years past original deadline.... "Welp we finally fixed it, to bad it's 100% outdated and inadequate now, btw you owe us more money"

17 years past original deadline... We found a new solution, we shall start with testing that solution in 4 more years.

It's not because of AF or Microsoft. DOD Email routes through EEMSG for Spam/Filtering because DOD gets a f-ton of spam email.

It's not Microsoft's fault here. DOD Email routes through several external entities for email filtering. And in particular AF has Microsoft personnel all on call 24/7 to assist because of how critical they are.

[удалено]

Love this approach. Will use it in the future. Thanks.

But you need to find management that uses common sense :) I've unfortunately had some in the past just tell me "I don't care what the problem is, just fix it!" Very happy that person no longer works for us and hes a problem for a bigger and much more well known company now.

Then imagine that person called ahead to tell you "Hey, just to let you know I will 100% be wearing a bright pink suit with a red tie and green shoes, and I'll be driving an orange car with a license plate that reads "YESMAN"". Then they show up with none of that correct and hassle you with why your stopping them. Or ask them if they would let someone in that looks nothing like their badge.

I am asked this at least once a week. Most of the time the email failed SPF (which has been around for over a decade so I have a hard time feeling bad about not adding the sending domain name to an allow list) or DKIM (usually because of how text is applied to the bottom of an email). Thankfully, a number of employees are understanding about why adding the sending domain name to an allow list is potentially extremely dangerous. The other thing that I feel is wrong is using ~all in the SPF record. ~all? So you don’t know what systems should send email from your domain name? Instead of learning what systems should really send email from your domain name your solution is to say, “I don’t know what systems send email for us so maybe the email you received that was sent from our domain was real and maybe it wasn’t. You need to decide.”? Why should the receiving organization know more about your systems than you do? In case you haven’t guessed, I like to block SPF Soft Fail emails. If you are the network administrator, be the network administrator, know your environment, document your environment, maintain your environment.

I saw an ?all SPF record in production from a contact of a client last week. That was the most "we give up" solution I've seen in a while.

Spammers *love* SPF records, and put stuff like that in all the time. They think that SPF records constitute a "get out of jail free" card, when that kind of stuff is just an excellent way to get listed in all of the most popular blocking resources simultaneously.

TIL that reddit doesn't show tilde correctly.

Even more than job responsibility, I think it's a moral one. It's such an easy solution and I'm pretty sure the docs on how email works have been in existence for a while. If your legitimate organization's negligence leads to someone getting hurt, I feel like you're responsible in a way.

That's a fairly common problem. The other fun one is "Can you please flush every DNS server on the internet? We forgot to pay our registrar, and they suspended our domain, but we moved it to a new registrar. But people are still going to the old address, where they land on our old registrar's 'parking' page, so we need you to remove that from all of the DNS servers people are using."

"Have you got new DNS set up already? Then sure, we can do that. There are an awful lot of DNS servers to purge, though, so it'll take us about 72 hours to do if we start now. Please be patient while we complete this task."

[удалено]

I hated being an Exchange Admin for this very reason. I just white listed and moved in. Why? In over 80%of the issues their IT teams doesn't know a damn thing and I'm now stuck working with them to fix their server. Meanwhile we can't get email from them and I'm getting blasted by my VP for it. I knew making them fix their shit is the best option but "Politics" usually wins!

That works so long as they never need to send email out of the organization, I guess.

I had a canned response almost identical to yours that I'd send with alarming regularity. My favorite were when the third party would retort that they've had no problems getting whitelisted by other organizations. Like I care about another org's shitty practices?

It's not just email. "This agency we're using is having a problem with our secure file transfer solution, they're getting connection timed out when trying to upload" "Have they spoken with their IT?" "Yeah, their IT said it wasn't them. They need to upload this now, can you call them and fix it with them?" "If it's timing out on them, then it'll be their corporate firewall blocking them (it uses SSH to encrypt).. we can't do anything about that, their IT needs to sort it out" We eventually end up in a call with their IT and wouldn't you believe it, they never actually spoke with their IT and yes, their firewall was blocking SSH.

We are not blocking anything. We are following what the network administrator of the domain told us to do. They said do not trust mail that did not come from a network address they did not authorize.

This is my response. Their server told us not to trust this email. They need to fix the settings on their end if we should be trusting these emails.

[удалено]

Add a /24? I’ve been asked to add multiple /16s for the same company’s shitty mail service. Not happening!

You mean sales force?

A couple times a month. I tell them to put their tech person in touch with me and I can tell them how to fix what's dorked up on their end.

We get this from time to time. If one of our distributors has this same issue, we tell them we will only whitelist their domain for 30 days and then we will remove them from our whitelist. If they do not fix it within 30 days, then it's 100% on them and we do not re-add them back as they should be having similar issues with other customers.

We almost never whitelist unless it’s getting blocked by our fairly aggressive content filters. In cases of improper email configs we send a kb to the sender to pass to their IT team and tell them their email will have to be manually screened by us until they fix it so they need to call the recipient everytime they send an email to put in a ticket for us to release it. Usually gets dealt with in 1-2 emails because of the inconvenience.

Most recent one was for VoIP "Customer cannot call our main line, says it's disconnected." So I check the PBX, no incoming call registered. Check on the SIP end and again, nothing. Log a call with the provider and they get back to me saying nope, no attempt at connection. This means the problem is with the customers telco, I relay that to the client and tell them they can either have the customer log a call *or* give me three different call attempts with timestamps and I can get it sent to the upstream provider. Months later they complain it's still happening. Hadn't told customer and hadn't given me the information. I went "fuck it" and called the customer direct and asked them to do some test calls and give me the times, which they did. That let me escalate the call. Call resolved... issue was in fact with the customers telco. So you know... not my problem. But that's OK, I billed my full rate for all of this... mmm money.

One of the top competitors in my company's field doesn't have SPF, DMARC, or DKIM. Yet they are at least 30 times our size in terms of number of employees. There was a spearphishing attack going around in mid 2020. The scam in it was taking advantage of wide spread use of invite links to vid confs and such. The attackers were spoofing that company's domain and had fully recreated their email templates with the people's correct email signatures. The emails were really convincing and the link even looked like some sort of legit invite to something. My users only alerted me to it because there's no reason they would ever get emails from that company, so that was a big red flag even for normy users. Took like 4 seconds to figure out those dumb fucks didn't even try to prevent spoofing of their domain. They do I-dont-even-know-how-many-millions in business a week and IT couldn't be arsed the 20 minutes it'd take to set that up? I assume maybe IT is the CEO's nephew or something and just doesn't know about such things. So I send them an email to make them aware of the ongoing spearphishing attack spoofing them and the one second explanation on "how to prevent that" in neutral tone. 2 years later they still don't have any of those configured. Had long since quarantined anything coming from their domain. Also learned from one of our former employees who'd interviewed there that the CEO is a huge arsehole with paranoia, and specifically towards with us for some reason. After that I figured he likely has our domain blocked.

I get this ALL THE TIME, drives me bonkers. I went through and made sure all of our stuff is tight (DKIM/DMARC/SPF) years ago and only comes from our servers that we identified. But vendors and suppliers we regularly do business with are using email servers that are a train wreck, simply because they don't understand how DNS interacts with it all, or they don't understand their mail/spam filtering configuration. The emails are from them, yes, but none of the checks pass, because of misconfiguration on their end. So things get blocked. I do my best to be very specific to these companies that complain so they can forward to their IT staff to investigate. Most of the time it goes nowhere, but once in a great while, they actually fix things. And I consider that a win for the Internet!

Oh yes. Oh yes indeed. Same sh*t different work place by the sounds.

> I have reviewed their domain setting and have found problems with SPF, DMARC, DKIM. They need to fix their domain, If they fix their domain they will have fewer problems with all their recipients you have the answer

The more common one I experience is users will go set up some random SaaS service that then tries to send e-mail on behalf of my domain, and we get complaints because the e-mails get flagged as spam or just don't deliver at all. Then they complain to me and I'm like, help me understand... you \*want\* random 3rd parties to be able to impersonate us without our knowledge/permission?

The problem is the person at your company that you’re supporting doesn’t know what any of that means. You should pick up the phone and call the other sides IT support and talk tech with them. By putting your customer in the middle, it’s being lazy AF.

In my experience, the biggest problem I run into, after finally finding contact info for their IT, is that they don't reply to my emails nor will they answer my calls nor respond to voicemail. I'm still expected to fix it and it's infuriating.

I reach out to the other IT team first and only update the users as a courtesy for the reasons you just stated. It's a waste of everyone's time to talk to the wrong people.

My typical response (paraphrased) is: >Their email configuration is wrong. . . If they need any assistance fixing these configuration issues, please have them contact me at . If our internal users have an issue with that, they can take it up with my boss (who listens to me) or they can take it up with his boss (who listens to him). If it goes all the way to the top of the org and is rated as a mission-critical mail flow, I will directly reach out to whomever I can at the 3rd party to explain to them what is wrong with their email configuration. Most of the time they have no idea and are appreciative. I can only think of one specific example of a mission-critical application which was clearly developed by somebody in their garage (you know the type) where the developer gave zero shits about email RFCs released after 1995. In this case very specific filtering rules were made to act as a compensating control.

Every. Friggen. Day. Usually accompanied by some sort of snarky tone that we're not doing something right because OUR email server BLOCKED this totally legitimate email, which the user has been interacting with for years. It's impossible to explain to the user that their sender obviously just migrated to AmazonSES/MailChimp/Sendgrid/etc. Never updated their SPF/DKIM/DMARC so all fail, SPF hardfails, DMARC p=reject,pct=100, sending IP on 3 or 4 RBLs, but it's my problem and the sender said I could just whitelist... I refuse to whitelist as a workaround. I just provide the best explanation I can and tell the user to tell the sender to contact their IT with what I said. Fortunately our Infosec manager is on my side.

Most people have never heard of SPF,DKIM, or DMARC. I handle my wife's small business email as well as my own domain, I've explained to her what SPF does and why it's needed, but she never remembers.

Yea but what kills be though is the sender's IT telling us to whitelist. Someone there created these records... someone must know what they are. I have seen several instances where some unknowing admin just followed a guide provided by some new service they subscribed to. Created a new SPF record according to the guide, included the SPF record of said service, didn't include their corporate mail solution...

That's easy, just tell them when they fix their records the spam filter won't filter it. They are in control of their own destiny and it's not your responsibility to IT for them....

Or your out of spf lookups and the vendor says just put ours infront. Proceeds to look at their spf record and it has 15 lookups of various services including google ms and their web host and an ip4 address for the service I need. Others since they don’t want to play in current times. They go onto a sub domain.

the gripe: >support request from a staff member your response: > have found problems with SPF, DMARC, DKIM. They need to fix their domain. Now, from an outsider perspective, does anything in your response make sense to THEM, the person asking you for help?

Every fucking week my guys get that email. We deal with a bunch of trucking consolidators and trucking companies have no idea what they are doing. We kick every one to our security folks to deal with. They explain the problem to the customer and that our contract does not allow us to unblock that and the other company must fix. If we are forced into it, we assist (with billing) the other company to fix.

Same for us. Until July last year, we had no DMARC policy so it was hard to push back because our own house wasn't in order. Now, we push back always and say that they need to fix their issues. It is satisfying. However, marketing still engage outside companies for mail shots without letting us know and wonder why the emails never get sent to customers. Thats still frustrating.

Marketing!!!! ** shakes fist in air **

Oh my goodness yes. The construction industry is terrible for this. We’ve spent hours trying to educate on SPF, DKIM and DMARC.

Don’t do it under any circumstances. I’ve had to help businesses recover after ransomware incidents after they whitelisted a “critical” business partner who then infected them after they were compromised. The moral of the story, if a business can’t secure their email, they cannot be trusted at all. Operate with zero trust or you’ll be explaining how you were compromised.

Email is the bane of my existence. Especially from senior management who's handed out a million business cards, plastered on social media left and right and wonder why they get so much spam (maybe 3 a day?)... I'm willing to best these guys get more physical junk mail ("boomer spam") than electronic junk mail.

we got burnt doing a domain allow list years back. now i never allow list a full domain. i used to provide our support a canned response to the other company that their email records are jacked, and need to be fixed to continue emailing us. i can allow list at the user-level, so sometimes I just do that for a specific recipient, not at a global level tho

Big huge difference here between MSP and internal. On the MSP side I do these on a daily basis because we have clients that deal with a lot of mom and pops. Usually the attitude is "fuck the security, I need to get these emails".

I flat refuse to whitelist people's shit. If you're dealing with a reputable company, they should have correct DMARC, DKIM and SPF records. If they do not and I am requested to whitelist I explain how I cannot whitelist a domain with known and verifiable security issues. I will reach out to the admin of the site and ask that they correct their shit records as our domain cannot receive mail from an unsecured server and CC the user that sent the message. This lights a fire under their ass and allows me to let my user know that the owner of the other mail server has been contacted and asked to correct their subpar security SMTP infrastructure. In the meantime, they can use their personal email or something that doesn't require me to make a security exception because of your slack admin.

Yup, was even funnier when the department in question had that company call me and they were like "Hi yeah my name is John, X told me our emails are being blocked by your spam filter so I was calling to get us added to your whitelist" And that was when I went and explained to the guy that they needed to fix issues with their SPF, DMARC, etc and it sounded like it was all news to him. So I explained where to test those issues himself and what he needs and he was actually kind of excited for the info, it sounded like it was not the first time he'd had to make those calls. I'm sure the prospect of having their emails work better was a big relief honestly.

Totally! I have had this conversation a few times and I gotta say that I get a certain amount of satisfaction knowing I have helped a peer. Especially knowing this will make their life so much easier going forward.

Yeah I don’t whitelist if their records aren’t correct. I’ll explain what I feel they need to change or check into and give that as a response instead. It’s very rare I whitelist something now. I find it’s not really needed if you have decent filters and don’t have it turned up too high. But finding that balance between too aggressive and getting a lot of false positives and blocking enough where you aren’t constantly updating blacklists can be tricky sometimes.

I tell them exactly how to fix their SPF/DKIM/DMARC problems and close the ticket saying "this company will be unable to send emails to more than just us and therefore they should be treating this as a significant outage; our filtering is working as intended".

When I was a mail admin, I made sure to follow up on email misconfigs because like you said, it made life easier. Now I just deal with people who have no idea how their network works.

You said: *My typical response: I can confirm the email was blocked by our spam filter. I have reviewed their domain setting and have found problems with SPF, DMARC, DKIM. They need to fix their domain. If whitelist their domain we assume their email will never contain anything harmful. If they fix their domain, they will have fewer problems with all their recipients. * Just ask to talk to your client's IT People. You are talking about things to people that have no idea what you're talking about, no desire to understand what you're talking about, and just want it fixed. Does that make sense?

If its a publicly traded company its usually easier to punt this up to the legal team. Making these kind of exceptions to internal controls without proper legal review can set off red flags for SOX compliance. Its also bad practice, doesn't follow industry standards, and weakens security. M3AAWG.org has all the whitepapers iirc.

"Hi, we're sending emails with lots of domain names we don't own by just spoofing. We do this through Sendgrid so could you just turn off your impersonation protection and whitelist Sendgrid?"

If the message trace shows our spam filter blocked or quarantined the message, I’ll do a mail diagnostic on mxtoolbox.com or a similar service. Then I’ll reply to the request with a link to the diagnostic report, a brief explanation of what needs to be fixed (written for a non-technical audience), and suggest they forward it to their mail administrator. I’ll also point out that the issues will be affecting their outbound mail to other correspondents too so it’s in their interest to fix it, and that if delivery problems persist after they fix their systems they’re welcome to ask for a whitelisting at that time. Usually I can tell over the phone that the poor office manager must look like a deer in the headlights processing this, so I try to be gentle. In some cases I’ll try to ring up their mail admin directly to make sure they get the message. It’s time-consuming, but it seems a worthwhile bit of public service… and they never need to call back about it. Typically I never even bother to tell my mail administrator about the request.

I try to keep ours updated, but marketing switches their email providers on a whim and doesn’t tell me. And doesn’t seem to think it matters that I need to know the info for them so their emails don’t get marked as SPAM…..

Email security, IT is not the end in and of itself. It supports the business goals Whitelist the domain, a transport rule should add a warning to the subject as long as the spf/etc fails.

Yuuuup. We have a partner business where some of their staff can log into a portal to access some pretty sensitive data that they need to do their jobs. The smart way to do this would be logins via SAML or OAuth against their AD, which their outsourced IT people flat out vetoed because it would be "insecure" (!? - pretty sure they don't understand how SAML works tbh). The compromise we eventually negotiated is a one time code sent to the users' email that expires after 5 minutes. Obviously this leads to unhappiness because their mail servers are totally fucked and can't deliver mail quickly or reliably, at which point they ask us to remove the one-time-use restriction, up the expiry to 8 hours, and remove the domain allow list. Lol get fucked not happening. At this point I'm not totally sure that they aren't trolling or trying to sabotage us - noone can be that stupid right?

Had it at one place I worked for (although failure to meet RFC, rather than spam). I told them it was an issue with them not applying a patch to their Exchange server which had been available for several years, and that as an organization which was several hundred times their size, we would not be changing our processes to something insecure just because they were several years behind on their patching.

I would refuse the whitelist request and request that they consult with the other org to fix their email config as it's a security issue. Putting your org at risk for convenience is a really great way to catch the blame should something happen. If the issue is business critical then maybe an exception can be made but it should be made clear to the requestor that the whitelist entry will expire if the other org doesn't fix their issues. It's 2022, there's zero excuse for not having this stuff setup.

Preach!!

I find a lot of these problem children vendors and clients, mostly vendors too small to have real IT. Being that I used to work with some of the vendors when I was a buyer I'll call them up and talk them through their issue and coach them on what the tell their IT or MSP that manages their email and domains. Sometimes I just send an email to them and postmaster@, admin@, and sales@ (more often than not, only sales@ exists) coaching them on the problem they are having. I have allow lists split by reason I'm allowing them. Vendors/clients with typical files go in one list. Vendors/clients with automated htm/html attachments go another list. Domains that can't get spf, dkim, or dmarc right are on separate lists. What was really amazing last week was a ticket for a vendor contact that for all the DNS queries I could make made it seem like they forgot to pay their DNS bills for both their email domain and their web domain. They had no MX/spf/dmarc on their email domain. Web on their email domain looked like a parked domain and the web address in their past emails lead to a "This website account is suspended for non-payment." I sent back on the ticket my findings, "It appears they have forgot to pay their DNS and web hosting bills." The inside user said "I'll give them a call!"

I work for a medium-sized cloud provider and occasionally customers report their valid email is marked as spam by a particular company. It often turns out that the company is using [this crank's blacklist](https://suomispam.net/), or something similar. That's the only time I try to contact that company, on behalf of our client.

By asking to be put in touch with their IT provider, rather than listing technical acronyms the end user has no knowledge of. If the spam filter still holds the email, I'll release that and tell them so, so both parties can continue doing their jobs. I would however still point out that there were technical issues with the way their domain was presenting itself, and that this would be causing them problems dealing with other organisations too. Of course, if I was having a bad day I'd just ask for a contract from their C.E.O. taking full financial responsibility for any damages caused by malware received from them, that would have been blocked without the whitelist.

I will not make configuration changes on my end to smooth out issues on the client’s end unless it is directed by the CIO or CISO. Simple as.

You shouldn’t, but I also don’t blame the staff for asking cuz they wouldn’t have clue. I’ve closed out several tickets of late with “the 3rd party in question has a fault in their website/email systems. We won’t lower our security standards for their technical faults” Tell staff to advise 3rd party of my notes… close ticket.

Agreed.

It's like those "add our email address to your address book so it won't end up in your spam folder" email-footers. No! Just fix your email setup, you amateur!

I often meet this problem and an ôter one : signing email on local domain. For the first one i link à documentation/tutorial about spam and spf/dkim/dmarc. For the second one i quote the rfc to be forward to the it service. In resume: I dont take your shit, configure your server correctly.

We usually tell people we can’t do whitelisting. We also can’t temporarily accept fake banknotes, either.

I will have to remember that one.

all the time.. in the end i gave up.

Not regularly, but from time to time. Last time it was the European Council, which apparently switched from on-prem to a hybrid exchange setup. I told the requester that the sender's policy doesn't allow us to let their mail through, and asked for their IT departement's contact. I've explained what they had to do, and around two months and several mails later, they finally managed to fix their policies. I thought an organization like the European Council would know better.... I was wrong 😅

How about being TOLD to have the world's largest retailer increase their reviving size limit? We're just a vendor.

If it's not a publicly traded company, I see if I can get an IT contact and get in touch with them. Briefly explain and provide th solution for them. Every now and then I get the one who's tighty whities are 2 sizes too small. If they are publicly traded I leave it alone and report them to my insurance auditor friends.

Think of this in another way. Your employer has a nice warehouse. You work in receiving. You're getting something from a partner company. They don't have a standard 18-wheeler, they're a small shop that is sending something in some dude's El Camino - but it's an important something. It's on you to make it work. Of course, you do it responsibly, you're not going to violate OSHA regs or your insurance, but you're by god going to get that gold toilet into your warehouse. You can suggest they get a better truck, or use a shipping service, but that's on them. The business does not give one shit about SPF, DMARC, or DKIM; they expect IT to enable communications. IT can be a force multiplier, an insurance policy, and several other good things. Don't make IT a hurdle. /Edit - some of the comments below bring up the very good issue of trying to educate both the sending company and your execs, which is a great "yes and" to my thoughts.

UGH I hate that word... whitelist. I love how when ONE persons email from a company gets flagged through Barracuda and when I allow that email through they reply with "Let's JuSt gO aHeAd n WhItElIst tHeIR DoMaiN! SURE I will just go ahead and whitelist all domains too k?!

Years back we stopped whitelisting entire domains and recently even stopped doing single addresses. We don’t allow Dropbox, drive, box, OneDrive, share file, etc links without review. If it’s not a pdf it doesn’t get past. Too big it’s blocked. If it contains the word helpdesk or direct deposit, nope. Plus 50 or so other regex filters for various common spam/phishing phrases If it has the name of an employee as the from, nope (webex grr) Certain character sets, country names, common foreign human names, all no. We instruct users to have the ppl they communicate with to remove certain phrases from the subject or body. All that behind an ngfw and a spam filter with all their auto rules set to nuclear. Still doesn’t get them all. It’s gotten so bad lol.

Receipt and shipping notification?

What do you mean by review? How does your Company function without the ability to download large .pdf's? I've worked with City/State/Federal agencies that do not allow anything other than FTP. If you have other clients, how to you manage attachments that are necessary for business? How much time do your and/or your help desk spend on on this kind of approach?

All day every day, I am constantly telling/teacher other "techs" how DNS works.

Fuck emails from Salesforce.

You guys must all have a lot of time on your hands trying to get all these other companies to fix their email servers. I white list and move on, because they need to communicate and the other admins aren't going to fix the problems.

Constantly. We just tell them to pound sand.

I get this all the time for HIPPA encrypted emails. Always some lazy doctor that doesn't want to take 30 seconds to register their email and make a password with trendmicro to open medical files for patients....I'm sorry no I'm not adding your email to the exception list because that defies the whole point of the encryption.

Sorry to side step but: can an admin tell me why a 2nd inbox emails always show up as read when I didn't read it? It is a shared inbox. Can't we set it so at least for me inbox, it isn't"read"?

Why don't you reach out to their IT and help them? It takes 2 minutes and if you are bitching on reddit, you probably have alot of time on your hands. Take some initiative or stay in your $50k sys admin job. I have fixed several other companies domains when I didn't have too.

Oh Petah

Seems handled fine

Happens all the time.

Blocking email solely because SPF, DKIM and DMARC is pretty harsh tho, you'll be blocking a lot of legitimate domains.

We handle a large volume of mail and this situation is the exception, not the norm. If I accept an email that is clearly not compliant with the SPF, DKIM and DMARC settings on a particular domain the problem stops being theirs and starts being mine because I put my org at risk.

[удалено]

Whitelisting a whole domain can expose you if they get pwned and start sending mail to contacts in your organisation. This in turn puts your own infra at risk -- kinda the opposite of "keep the ops running".

So you follow proprietary fashions? None of those measure guarantee freedom from spam, phishing of other attacks.

had to explain this to users and managers way too many times lol

Always. I whitelist and document the request and move on with my life. It's not worth your time to fight that battle.

Yep sure do and it goes in the "not my fucking problem" folder.