Home page logo

pauldotcom logo PaulDotCom mailing list archives

Re: [Security Weekly] [GPWN-list] Pen Testing and the Canadian anti-spam law
From: Ty Purcell <TPurcell () ffin com>
Date: Tue, 1 Jul 2014 16:03:19 +0000


Is there the possibility of properly crafting the Statement of Work and Rules of Engagement to comply with the law 
while also meeting your pentest operational needs?


From: gpwn-list on behalf of Jamil Ben Alluch
Sent: Tuesday, July 01, 2014 10:36:16 AM
To: advisory-board-open () lists sans org; gpwn-list () lists sans org; Security Weekly Mailing List
Subject: [GPWN-list] Pen Testing and the Canadian anti-spam law


I wanted to get some points of view in regards to the newly implemented anti-spam law that entered into effect today in 

There are cases where during pen-testing projects, we are in a way required to send emails in order to test out 
phishing attempts, malware downloads etc.

These would have to be crafted in a way that is appealing to the targeted end-user and often will have some kind of 
appealing sales connotation or fake business application.

Now according to the CASL<http://fightspam.gc.ca/>, this would entitle senders to up to CA$1,000,000 in fines, if you 
are an individual, and $10,000,000 in fines if you are a business.

Obviously in our line of work, in order to perform our duties as pen-testers, this could turn out to be a problem and 
remove the possibility of trying out sets of attack vectors relying on emails.

I'd like to get some opinions on this matter.

Best Regards,

Jamil Ben Alluch, ing. jr, GCIH
Information Technology & Security Consulting
jamil () autronix com<mailto:jamil () autronix com>
+1-877-564-7656 e.123
securityweekly mailing list
securityweekly () mail securityweekly com
Main Web Site: http://pauldotcom.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]