I suggest a privacy assessment be completed. OTA can help on this if this would be helpful as it needs to be done outside of the security community for compliance and objectivity.
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of MH Michael Hammer (5304) Sent: Wednesday, March 20, 2013 8:26 PM To: Murray Kucherawy; [email protected] Subject: Re: [dmarc-discuss] Using DMARC to probe corporate compliance We had something like this come up when we were first implementing. It was a couple of contractors forwarding alerts from a system because they didn't want to VPN in. For those who say look at your logs, this sort of thing tends to stand out more readily in looking at auth failures. As for privacy consideration, that will need to be worded carefully. In many organizations there are rules against forwarding corporate mail to personal accounts. Whose privacy is being violated? The organizations or the individual? Mike > -----Original Message----- > From: [email protected] [mailto:dmarc-discuss- > [email protected]] On Behalf Of Murray Kucherawy > Sent: Wednesday, March 20, 2013 11:13 PM > To: [email protected] > Subject: Re: [dmarc-discuss] Using DMARC to probe corporate compliance > > This is definitely something that will need to be called out in the > DMARC draft as a privacy consideration when it is published at some point. > Thanks for getting this discussion going! > > -MSK > > On 3/20/13 3:04 PM, "Carl S. Gutekunst" <[email protected]> > wrote: > > >I've been amused by the number of rows in my aggregate report that > >show people forwarding mail from their employer's mailbox to an > >external provider (mostly Gmail and Yahoo). Of course most employers > >have policies forbidding this; the fact the people do it anyway is > >one of the things that keep me employed. > > > >While using DMARC's aggregate reports to detect data leaks seems too > >crude for corporate espionage, it does seem to have possibilities for > >corporate compliance. It could work like this: once a month, I send > >all my employees a reminder about corporate compliance rules. The > >sending domain is unique, with correct SPF, DKIM and DMARC. When the > >RUA arrives, it'll show how many people are forwarding their mail to > >Gmail and whatnot. Games can be played with the domain, selector, or > >time of day to statistically isolate the guilty party. > > > >Interesting use case? Scary use case? Or Carl just demonstrating his > >grasp of the obvious? > > > >(Of course the outbound mail servers or firewall are the correct > >place to detect and block forwarding. But this trick would find > >people who are bypassing the outbound mail servers, or perhaps detect > >a flaw in the output policy rules.) > > > ><csg> > >_______________________________________________ > >dmarc-discuss mailing list > >[email protected] > >http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > > >NOTE: Participating in this list means you agree to the DMARC Note > >Well terms (http://www.dmarc.org/note_well.html) > > > _______________________________________________ > dmarc-discuss mailing list > [email protected] > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note > Well terms (http://www.dmarc.org/note_well.html) _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html) _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
