It's Friday today, I'd like to talk about something else. Black (or white) lists are everywhere today. Many security tools implement a way to allow/deny accesses or actions on resources based on "lists" bsides the automated processing of data. The approach to implement them is quite different:

  Methodology Pro Con
White list Deny everything by default and allow exceptions Full control of all resources Harder to manage
Frequent updates
Can be frustrating for the user.
Black list Allow everything by default and deny exceptions Easy to manage
Less impact on users

Only "known" resources are blocked
Risks of missing blocked resources.
Never-ending process

A classic example is applications allowed to users on endpoints in a corporate environment (Microsoft AppLocker[1] works like this): You can allow all applications but block some or you can deny all applications but allow only approved ones.

When you have a security product that implements both types, how are they processed? In which order? Let's take an example that I faced yesterday at a customer. The security product is a mail protection system which scans incoming SMTP traffic, extracts emails, attachments and tests them (in a sandbox if needed). Two types of lists are available and may contain the following indicators:

  • A sender email address
  • A sender domain
  • A sender IP address
  • An URL
  • A MD5 hash
  • A recipient email address

Lists are:

  • Allowed list
  • Blocking list

This looks very efficient: you can white list IP addresses of internal SMTP relays, domains from partners, or block domains used by spammers. But it can also have nasty effects. The question to think about is: In which order are the lists processed? They are multiple scenarios possible:

  • Process the blocking list first and, if a match is found, stop processing the other list
  • Process the allowed list first and, if a match is found, stop processing the other list
  • Process the blocking list and, if a match is found, check in the allowed list if there isn't an exception
  • Process the allowed list and, if a match is found, check in the blocking list if there isn't an exception

Let's take the practical example that I faced yesterday as an example:

In the blocking list, there is a rule to prevent people to receive emails from the following domain: "". This rule is in place for months. Suddenly, a user complained that he can't receive emails from the domain "". So, we added a rule in the allowed list to always allow emails sent from this domain. But it did not work... After some investigations, we found the issue!

The blocking list is processed in the first place and still rejected emails from (because the '' rule matched). But why does it match a sub-string of the domain? By reading the documentation, we found that regular exceptions are allowed in rules.

To fix this issue, we changed the blocking rule to '^efax\.com$' to really match this domain and nothing else. With this configuration, the blocking list did not match any rule and the allowed list matched on '". Happy user!

Conclusion: The implementation of white or black-list is not easy and must be carefully tested and... RTFM[2] to be sure to fully understand their priority!


Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Posted by InfoSec News on Sep 20

By Jeff Stone
September 19, 2019

Money matters when it comes to recruiting cybersecurity staffers. But, beyond
salary, a combination of factors have contributed to the widespread skills
shortage, and some issues are worsened by the industry itself.

Various studies suggest the shortage of qualified cybersecurity candidates is
set to hit 3.4 million...

Posted by InfoSec News on Sep 20

By Dan Goodin
Ars Technica

If you've noticed an uptick of spam that addresses you by name or quotes real
emails you've sent or received in the past, you can probably blame Emotet. It's
one of the world's most costly and destructive botnets—and it just returned
from a four-month...

Posted by InfoSec News on Sep 20

By Felicia Sonmez and Erica Werner
The Washington Post
September 19, 2019

Senate Majority Leader Mitch McConnell came out Thursday in support of
providing states with an additional $250 million in election security funding,
an abrupt turnaround after more than a year of...

Posted by InfoSec News on Sep 20

By Anna Spoerre
Des Moines Register
September 19, 2019

An Iowa state senator is calling on the legislative oversight committee to
investigate at least two known county courthouse break-ins authorized by the
Iowa judicial branch.

Sen. Tony Bisignano (D-Des Moines),...

Posted by InfoSec News on Sep 20

By Dina Temple-Raston
I'll Be Seeing You
September 19, 2019

Debbie Scroggin and her husband live at the end of a series of gravel roads in a
lonesome part of Kansas. It is the kind of place where, Debbie says, "you have
to drive 15 minutes to get anywhere." Getting to the Scroggin house involves
turning onto a...
(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Internet Storm Center Infocon Status