On Sunday, April 26, 2015 9:23 AM [GMT+1=CET], Stephen J. Turnbull wrote: > J. Gomez writes: > > > Not an option. And sorry but it is not affordable to employ > > security experts in everyday clerical tasks. > > It doesn't require *any* *security* expertise on the part of the > clerks to deal with the exploit you described in a business context. > > Since it's direct mail, in a business context it's reasonable to > suppose you have a database of qualified vendors including their email > addresses, and one would hope an IT department capable of implementing > DMARC and filtering out URLs not backed by a DMARC pass from a vendor > registered with your company. Ie, you deal only with companies which > always send DMARC-conforming mail and publish p=reject, and have IT > configure the MTA to quarantine any other mail addressed to clerks > which contains clickable links.
So before the clerks can arrange to do business with a new Courier (because the old Courier happens to be on strike, or not service an area, or is more expensive for certain kinds of packages), they should have to first vet it through the IT dept. so that IT dept. can whitelist their sending email addresses/domains? And the same for any other provider/client the clerks are going to deal with through email? And the same for the Sales dept., who when following leads by necessity have to deal with not-yet-formally-engaged prospective clients/providers? Sorry, but real everyday business does not work like this (unless maybe at IBM, some huge University, or the Cuban Government, perhaps). > So all the clerks need to learn is to report unclickable links so that > threats can be forwarded to corporate security and unregistered but > valid vendor addresses can be registered. One clerk (a.k.a. "information-age worker" nowadays) does the workload of four clerks 20 years ago. They are over-worked, they work fast and furious and when, for example, presenting on-line taxes and what-not they usually go by the last day in the tax period. So now the confirmation email to validate their account on the Government on-line taxes web site (which recently moved from https://taxes.ministry.fr to https://taxes.ministy.gouv.fr) is suddenly not clickable, in the last day of the tax period, at 17:45h in the evening? The IT dept. could be better, but they certainly are not suicidal. Regards, J.Gomez _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
