Why OIT does not allowlist domains

What is a “allowlist”? 

An allowlist is a “free pass” through any of our email protection defenses. The allowlist lists “trusted sources” which lets them through so email from those addresses are not blocked as spam.

Spammers (or Phishers) take advantage of typical allowlisting practices. They try to fool your email defenses (and you) into thinking malicious emails are from trusted sources by making them look like they are coming from an address on your allowlist. So, anti-spam programs that rely on allowlisting can make you more susceptible to spam, phishing scams and viruses by creating a false sense of security that all your email is safe. It’s not.

So, why don’t we use allowlists?

Well, it’s a  cyber-security issue – each allowlist entry that you add is a potential source of danger. For one, it’s easy for the sender to make an email (especially a phishing scam) look like it’s coming from any address. That’s called “spoofing”. Spammers often spoof the emails they send out with addresses of popular banks, stores, credit card companies, etc. (like “support@<bank name>.com”)

The dangers should be obvious by now. Someone at your company gets an email that looks like it’s from a trusted source because you’ve allowlisted it, and they feel safe clicking on a link in the email. But it’s a spoofed email and the link takes them to the spammer’s site; where a virus is downloaded or they enter their username and password, provide their corporate credit card number, etc. You know the rest.

Other Spammer Tricks

Spammers know that many people allowlist their own domains. So, another common trick is to spoof the email to look like it’s from your own organization ([email protected]) or even from yourself ([email protected]). If you allowlist your own domain, emails that look like they come from you or someone else in your company, but are really sent by spammers, get delivered to your Inbox ready to do harm.

When Friends Become “Zombies”

Allowlisting can also lead to problems from otherwise innocent sources that have been infected and start sending out spam to all of the source’s contacts. If one of your contacts has been allowlisted and her computer becomes compromised, your address can be harvested, an attack email generated, it “allowlists” through our defenses, you click on it… Well, that’s when bad things happen.