> On 29. Jun 2021, at 16:13, Glenn Parker <[email protected]> wrote: > > > I would be interested in a deeper discussion of the actual security threats > that all this awkward 2FA/OAuth2/whatever are meant to address. I mean, I > certainly understand the basic need for authentication (and encrypted > transmission) to limit access to private information, but it seems like some > folks are going way overboard for email here. All security is a tradeoff with > convenience, like a fence around your property that limits free access to > everyone, including yourself. So, it’s important to weigh the tradeoffs. > > To restate my question: what are the downsides to a compromised email > account, and do they justify this level of access control? > > Users can perform a limited number of actions in the email universe: read > mail, delete mail, reorganize mail folders, and send mail: > > Read mail: private information could be exposed, obviously. > > Delete mail and reorganize mail folders: important (?) records or progress > tracking could be lost or “misplaced”. (But, seriously, don’t use email for > critical data storage). > > Send mail: IMHO, the biggest threat to an organization is the potential for > social engineering via “authentic” appearing email. > And this is a big concern for the system administrators of these systems. I administrate an e-mail-setup which is a bit bigger. Phished e-mail-accounts mean that they suddenly send spam as authenticated users which you usually trust. I do not (can not) sort mail from my users into spam and they have to reach a high threshold to be denied completely - that is even higher than the score external spammers have to receive. And in the end it means that I have to have measures to detect those mailers before my servers get onto blacklists which will be a problem for all of the users.
Besides that: nowadays pretty much any service nowadays relies on mail as authentication mechanism and you can reset passwords of accounts and take over these accounts which will lead to more damage for yourself. And there can be done a lot of damage when in a couple of hours. If you know in which time zone your target is, you can do everything in the night until they will notice that something is wrong. Niels
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ mailmate mailing list [email protected] https://lists.freron.com/listinfo/mailmate
