I don't agree with you. People don't bother to remember credentials for
machines behind adequate firewalls, having no publicly meaningful IP
address, with anti-virus and anti-intrusion stuff mounted on the Exchange
server (or non-MS equivalent), and good anti-virus stuff running on the
desktop. In less secure environments, a lot of people do remember
credentials (and most people I know have desktops in both secure and
insecure environments, and let the MUA store credentials in one and not in
the other).
Although I definitely agree with the security precautions that you take, I
think it is extremely unlikely that the average user will be as
knowledgeable and diligent as you and computer savvy friends. The average
person is clueless that they even need a firewall at all. The average
person stores their credentials on anything. The average person is clueless
about security and that won't ever change. The solution to any of these
problems is to attack the problem at the gateway, server, and standards
level.
I can't believe in 2004 we're still even talking about email viruses when
anti-virus gateway technology has been available for many years. It's
amazing that people are still under the illusion that somehow if they scream
enough that they'll be able to convince the average user to not open
attachments when it's impossible for the computer masses to comply. I've
not seen a single virus in any of my user's mail boxes in nearly 4 years
because of anti-virus gateway and server measures we took, yet people still
spend all their time attacking the problem from the end user's perspective.
It's about time all mail gateways and servers scan for viruses inbound and
outbound. That is the only way to eliminate the virus problem. I know MSN
and Yahoo already do this, and I never see viruses in my MSN account.
As for worm propagation, hopefully XP Service Pack 2 with it's simple
stateful firewall turned on by default will be implemented across all
Windows XP machines soon. It will go a long ways to eliminate the DDoS
threat if 80% of the world's computers block all inbound traffic by default,
just like any of these SMTP authentication schemes if adopted will help in
the battle against SPAM. At this point, I don't even care who's standard
wins, just as long as some kind of authentication scheme is standardized and
adopted by a critical mass.
Sorry for being slightly off topic.
George Ou
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg