gep2(_at_)terabites(_dot_)com wrote:
[zombies]
I disagree. If the great majority of users are rejecting
E-mail-borne zombie attacks, then I think that hackers and spammers
will move to greener pastures (such as trying to infect via Web
sites or whatever).
Some will. Some will anyway. Some won't, so long as a sufficient
number (which can be quite a small percentage) of users are
vulnerable. And more users will be vulnerable to new attacks, because
defenses won't be perfected against those.
It also depends on how quickly such a fine-grained permissions list
approach is accepted and installed. Obviously, if Microsoft were to
include something like this in Outlook and Outlook Express by
default, it would be much more effective and much sooner than if
Infopoint or some other small software company were to try to market
it as an addon package.
You mean 5 years instead of 20?
I don't agree with your numbers, but the ratio might be about right.
How many users do you think are still using Windows 98?
Such an effort will be implemented worldwide by far more customers,
faster, if it's an upgrade to a program they already have and trust
than if it's something new and different.
Maybe; if their hardware and OS support the new version, and it
doesn't break anything they're already doing (including compatibility
with other old programs they're using), and . . .
Precisely. The spammers will attack a vulnerability that affects only
a small percentage.
True, but as it becomes a smaller and smaller percentage, their
exploit becomes less and less a matter of concern.
I disagree. So long as their exploit spreads, it's of concern.
That issue is already known in virus protection. Some email clients
were treating some messages as HTML that the anti-virus software
thought was (safe) plaintext. The spammer didn't care _which_ victim
he got, just _how many_.
At some point, the answer to "how many" will be "not enough"... just
the same way that spammers don't tend to go after Linux or Mac
boxes, even though they clearly could. The grass is greener
elsewhere, so the minority situation can be pretty safely ignored.
Until there's enough protection in what used to be easiest, then the
spammers go for something else.
Ultimately, the way to control spam is to make it less profitable
and appealing for the spammer.
Felony convictions have that effect. Little else seems to.
However, it's close to necessary to demonstrate that it's _possible_
to do an acceptably-good job.
I think that's pretty evident. Certainly neither you nor anybody
else here has posted convincing evidence proving the inverse.
Ask anyone who has done customer support.
As I've already pointed out, "no attachments, no HTML" isn't a
clear-cut decision,
It comes awfully close.
Until there's a new MUA that decides to be "helpful".
And if the implemention of the fine-grained permissions list is
built into the recipient's mail client software (say,
Outlook/Outlook Express/Pegasus/Eudora/etc) then it's possible to
make it damned near airtight... certainly something that a clueless
user (the one most likely to be fooled) isn't likely to be taken in
by.
But by then the email has travelled the last mile.
...and spammers will take advantage of every implementation difference of
opinion.
Sure. They are awfully determined, and devious. But (again) the *great*
majority of their tricks and deceptions
SO FAR
are based on obscured URLs, scripting, HTML, and attachments. Once
you have denied them those, they're left with VERY little wiggle
room.
and will have to come up with something else, which so far they've
always managed to do.
Seth
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg