J. Gomez writes: > Yes, the user did it to himself, but what does he know?
Obviously too little to be trusted with an email account. Fire the corporate training department! > Please note this attack works successfully even if the user has no > administrative rights on his computer, and could potentially be > made to work equally well with Linux and MacOSX users too (if they > were a big enough demographic target to make it profitable vs cost > of development). AFAICS the cost of porting is very low compared to original development. I would guess that the real issue is that they don't have a good way to identify the executable format for the recipient system, and so send a payload that will work on well over 90% of recipients. I also doubt it would work as well on Mac OS X, where the user would be prompted for his password to confirm permission to execute an application received from an untrusted source. Surely some would type the password, but I suspect enough would be deterred to lower the click rate to unprofitable levels. > The lessons which I think we can learn from this are: ISTM we already knew the lessons you list, and they inform every discussion I've seen on this list. My personal opinion is that, on the contrary, people are already way too quick to discard proposals simply because they involve changes to MUAs. Of course, the reality that this is an IETF WG, and what we can do that has effect with high probability is change wire protocols. MUA presentation is outside of our bailiwick, and nobody really has a good way to get ideas for MUAs broadly implemented the way we can influence MTA implementations. > So I thought this could be of interest to keep in mind, when some > solution may be suggested to the DMARC indirect flows problems > which advocates some kind of MUA behavior regarding message > presentation. "No Silver Bullet". There are no "solutions" to these problems, only improvements. The fact that *some* users will dig a phish out of the spam bucket and cut/paste a disabled URL into their browsers so that they can be victimized despite the best efforts of their mail agents doesn't mean that others who *would* click if it were presented as valid mail would *not* go to such lengths for mail in their spam folders, or perhaps would be deterred at the "cut/paste" stage. _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
