LYC: I have a feeling I'm going to embarrass our pentesting company soon
Posted by
oblique (aka kkuphal)
May 30 '24, 13:44
|
The external pentester assigned could not even get a email to land in our inboxes, not a single one. Now, we get our fair share of spam and phishing emails that make it through the filters so this is a bit of a sad trombone for them
Their latest tests failed because the message failed DMARC, DKIM, and SPF tests and was marked as phishing. These are the same tests they do on OUR external email to verify we have our email set up correctly (and they found a few spots where I had missed one piece on some of our secondary domains).
I'm trying not to be like "Um, maybe you'd have better luck sending legitimate looking penetration test emails if your email servers didn't look like a completely dodgy site"
That all being said, the internal pentester was excellent and we had a lot of good takeaways from that.
|