Summary
Cybersecurity companies aiming to safely deliver malicious files for testing require a multi-faceted approach that combines technical safeguards, clear communication, and adherence to legal and ethical standards. Utilizing separate infrastructure like throwaway domains, VPS, and EC2 instances helps isolate testing and protect sender reputation. Requesting clients to whitelist IPs and leveraging advanced delivery policies in platforms like Microsoft 365 can bypass filters. Transparency is crucial; informing recipients, their IT security teams, and even engaging with security and anti-spam vendors fosters trust and collaboration. Before sending, files should be analyzed in sandbox environments. Clear contractual agreements outlining scope and responsibilities are essential for legal protection. Encrypted archives can offer a basic level of bypass, but client awareness of the risks is key. Throughout the process, protecting sender reputation is paramount to ensure the continued deliverability of legitimate emails. Overall, balancing effective testing with ethical practices and minimizing potential harm is crucial.
Key findings
- Separate Infrastructure: Using distinct domains, IPs, VPS, or EC2 instances isolates testing and protects the primary email infrastructure's reputation.
- Bypass Mechanisms: Whitelisting IPs, leveraging advanced delivery policies, and encrypted archives can help bypass email filters.
- Transparency and Communication: Informing recipients, IT teams, security vendors, and anti-spam services is crucial for trust and coordination.
- Sandbox Analysis: Analyzing potentially harmful files in a sandbox before sending enhances safety.
- Contractual Agreements: Clear agreements outlining testing scope and responsibilities are essential for legal protection.
- Reputation Protection: Protecting sender reputation is paramount for continued deliverability of legitimate emails.
Key considerations
- Domain and IP Isolation: Properly configuring and managing separate infrastructure is critical to prevent spillover effects on the primary domain.
- Ethical Implications: Balancing effective testing with the need to protect recipients from potential harm is crucial.
- Legal and Regulatory Compliance: Testing activities must comply with data protection, privacy, and other relevant laws.
- Security Vendor Approval: When possible, obtaining approval from the client's security vendor can streamline testing and improve accuracy.
- Ongoing Monitoring: Continuously monitoring sender reputation and adapting strategies as needed is essential for long-term success.
What email marketers say
11 marketer opinions
Cybersecurity companies face challenges in delivering malicious files for testing purposes without being blocked by security filters. The solutions involve a multi-faceted approach including technical configurations, process and communication strategies, and legal considerations. Key recommendations include using separate domains and IPs for testing, whitelisting IPs with clients, informing recipients and IT security teams, utilizing sandboxes, securing contractual agreements, and potentially using encrypted archives. Additionally, communication and coordination with anti-spam vendors are important. The overall goal is to minimize the impact on sender reputation and ensure that testing is conducted ethically and legally.
Key opinions
- Separate Infrastructure: Using distinct domains and IP addresses dedicated to security testing helps isolate any negative impacts on the primary email infrastructure.
- Whitelisting: Requesting clients to whitelist specific testing IPs can bypass security filters, ensuring delivery of test files.
- Clear Communication: Informing recipients, their IT security teams, and, potentially, security vendors about the tests is crucial for transparency and coordination.
- Sandbox Analysis: Analyzing malicious files in a sandbox environment prior to sending them to clients adds an extra layer of safety.
- Legal Agreements: Establishing clear contractual agreements outlining the testing scope and responsibilities is essential for legal protection.
- Anti-Spam Coordination: Working with anti-spam vendors can help prevent testing activities from negatively impacting sender reputation and overall deliverability.
Key considerations
- Sender Reputation: Security testing can negatively affect sender reputation, impacting the deliverability of legitimate emails. Mitigation strategies are necessary.
- Ethical Implications: It's important to balance thorough security testing with the need to protect recipients from potential harm.
- Legal Compliance: Testing activities must comply with all relevant laws and regulations, including data protection and privacy laws.
- Security Vendor Approval: If possible, it is key to have approval from the security vendor of your client as they are the most effective way to protect clients from any harm.
Marketer view
Email marketer from Reddit suggests ensuring that recipients are fully aware of the testing and the nature of the files they may receive. Clear communication is key, manage expectations. They suggest informing recipients before sending to them and giving a heads up to the internal security teams.
13 Aug 2021 - Reddit
Marketer view
Email marketer from Email Geeks shares experience with an AV vendor client, who had a pre-req doc for bypassing filtering for phishing tests and spun up a new Azure IP for each client for virus/malicious file testing, with Microsoft being aware of their activities.
25 Nov 2022 - Email Geeks
What the experts say
3 expert opinions
When cybersecurity companies need to send malicious files to clients for testing, it's crucial to do so without getting blocked and while protecting sender reputation. Experts recommend using throwaway domains, possibly with a VPS, for sending the files. They also stress the importance of safeguarding sender reputation to avoid affecting legitimate email streams. Building relationships with anti-spam vendors can also help, as they may be more lenient if they understand the testing criteria.
Key opinions
- Use Throwaway Domains/VPS: Utilizing separate infrastructure like throwaway domains and VPS helps to isolate testing activities from the main domain and protect sender reputation.
- Protect Sender Reputation: Maintaining a positive sender reputation is critical to ensure continued deliverability of legitimate emails.
- Engage with Anti-Spam Vendors: Building relationships with anti-spam vendors can lead to more flexibility during testing and better understanding of security levels.
Key considerations
- Domain Isolation: Properly setting up and managing throwaway domains and VPS is essential to prevent any spillover effects on the primary domain.
- Reputation Management: Continuously monitoring and protecting sender reputation is an ongoing process that requires vigilance.
- Vendor Coordination: Establishing and maintaining open communication with anti-spam vendors requires time and effort but can be beneficial.
Expert view
Expert from Spam Resource, Laura Atkins, emphasizes the need to protect sender reputation when conducting security tests, highlighting the risk of damaging legitimate email streams. It is important to plan your testing to avoid affecting your sender reputation.
18 May 2024 - Spam Resource
Expert view
Expert from Email Geeks suggests sending malicious files from a throw away domain and possibly a VPS somewhere for cybersecurity testing.
13 May 2024 - Email Geeks
What the documentation says
4 technical articles
Microsoft 365, AWS, NCSC and NIST documentation provide guidance on sending malicious files for security testing. Microsoft 365 offers advanced delivery policies to bypass filters for simulated phishing attacks. AWS describes using EC2 instances for sending emails with caution and adherence to usage policies. NCSC emphasizes explicit agreements, controlled environments, and clear communication for penetration testing. NIST provides guidelines for vulnerability testing, including proper authorization, containment, and ethical practices. All sources highlight the importance of careful planning and adherence to best practices to avoid causing harm or violating policies.
Key findings
- Advanced Delivery Policies: Microsoft 365 offers features to bypass filters for simulated phishing attacks, requiring configuration of sending IPs and domains.
- EC2 Instances for Email: AWS EC2 instances can be configured to send emails, but adherence to acceptable use policies is crucial.
- Penetration Testing Guidance: NCSC emphasizes explicit agreements, controlled environments, and clear communication for safe penetration testing.
- Vulnerability Testing Guidelines: NIST provides guidelines for vulnerability testing, highlighting proper authorization, containment strategies, and ethical practices.
Key considerations
- Policy Adherence: Following acceptable use policies of email platforms and cloud providers is essential to avoid penalties.
- Authorization: Obtaining explicit authorization before conducting any security testing is a must to avoid legal and ethical issues.
- Communication: Maintaining clear communication with clients and relevant stakeholders ensures that testing activities are transparent and understood.
- Controlled Environments: Ensuring that testing activities are conducted within controlled environments minimizes the risk of unintended consequences.
Technical article
Documentation from Microsoft Learn explains that Microsoft 365 offers advanced delivery policies to allow simulated phishing attacks for training purposes to bypass filters. These policies require configuration to identify the sending IP addresses and domains used for the simulations, ensuring legitimate tests are delivered while maintaining overall security.
31 Oct 2023 - Microsoft Learn
Technical article
Documentation from NIST provides guidelines for vulnerability testing, including considerations for safely handling potentially harmful content. It includes recommendations on obtaining proper authorization, implementing containment strategies, and adhering to ethical testing practices.
9 Jan 2025 - NIST Website
Are spam trigger word lists accurate and should I be concerned about them?
Are spam trigger word lists still relevant for email deliverability?
Are spam trigger words, PDF attachments, and links bad for email warm-up and deliverability?
Can an email template trigger spam filters and cause deliverability issues?
How can I effectively avoid spam filters when sending emails?
How can I intentionally deliver emails to the spam folder?
How to effectively use KBXSCORE for deliverability testing?
What are some funny examples of spam or phishing attempts targeting email marketers?
What are spam trigger words and how do they impact email deliverability?
