furuno
asked on
Safe to attach phishing domain to my main domain?
I'm involved in IT security.
I need to attach phishing simulator software to my main business domain (website)
I'm a bit weary of this because of potential problems down the line. The vendor of the phishing simulator thinks it should be ok.
However, in 12 / 18 / 24 months time, I don't want a situation where, owing to error (or whatever) my domain becomes blacklisted.Because my domain is also tied to my CRM system. This would then result in a cascade of failures - my basic email system not working, my CRM not working and the phishing simulator not working.
Should this phishing simulator be hosted on a different domain to mitigate the risk or am I totally over-thinking this situation?
I need to attach phishing simulator software to my main business domain (website)
I'm a bit weary of this because of potential problems down the line. The vendor of the phishing simulator thinks it should be ok.
However, in 12 / 18 / 24 months time, I don't want a situation where, owing to error (or whatever) my domain becomes blacklisted.Because my domain is also tied to my CRM system. This would then result in a cascade of failures - my basic email system not working, my CRM not working and the phishing simulator not working.
Should this phishing simulator be hosted on a different domain to mitigate the risk or am I totally over-thinking this situation?
ASKER
Hi David,
Thanks for your response.
What I mean my phishing simulator is I believe using the SMTP server connected to my domain or subdomain and using it for sending simulated phishing emails.
>>The problem becomes if some site like Google finds you "phishing simulator", then flags your property (bare domain + >>all subhosts) as a Phishing source, which will downgrade your SEO (at minimum) or cause access to your sites to be >>>blocked (at worst).
Yes, this is my worst nightmare which I really want to avoid.
Why is ACL important here?
Thanks for your response.
What I mean my phishing simulator is I believe using the SMTP server connected to my domain or subdomain and using it for sending simulated phishing emails.
>>The problem becomes if some site like Google finds you "phishing simulator", then flags your property (bare domain + >>all subhosts) as a Phishing source, which will downgrade your SEO (at minimum) or cause access to your sites to be >>>blocked (at worst).
Yes, this is my worst nightmare which I really want to avoid.
Why is ACL important here?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
>>>You'd have to somehow... Find a human in the company + convince them you're weren't evil...
Hi David, thanks for your answer.
The protocol is actually liaising with their IT admins and getting phishing domain whitelisted before phishing campaign starts.
I've decided to use a separate domain - too risky. I don not want to end up on an RBL! This would interrupt not only normal email but also our emails from our CRM.
I've seen the headache RBL placement has caused people over the years and it's not a nice place to be!
Thanks for your input!
Hi David, thanks for your answer.
The protocol is actually liaising with their IT admins and getting phishing domain whitelisted before phishing campaign starts.
I've decided to use a separate domain - too risky. I don not want to end up on an RBL! This would interrupt not only normal email but also our emails from our CRM.
I've seen the headache RBL placement has caused people over the years and it's not a nice place to be!
Thanks for your input!
You're welcome!
And you're correct, getting RBL'ed can be a serious nightmare.
And you're correct, getting RBL'ed can be a serious nightmare.
The easy answer is you ACL this simulator so no external site can every access this code, which will work fine.
The problem becomes if some site like Google finds you "phishing simulator", then flags your property (bare domain + all subhosts) as a Phishing source, which will downgrade your SEO (at minimum) or cause access to your sites to be blocked (at worst).
Tip: If you can only trigger your phishing code from test clients... or say with an apikey or hash, you'll be fine.
I'd likely use a hash to do this, to keep things simple.
So if you run foo.com + foo.com/phishing is your simulator + pass https://foo.com/phishing?hash=$some-random-32byte-hash then simulator fires...
If hash is missing or incorrect, then return a 404.
This should cover the problem of phishing link leakage, so even if the URL gets indexed, missing/incorrect hashes just return an innocuous 404 error.
Also, be sure to rotate (retire old, create new) 32byte unique hash every day.