Most users, by default would not need to enable executable attachments
coming
from ANYBODY AT ALL. The result of that fairly simple rule would all by
itself
very nearly eliminate E-mail as a vector for distribution of worms and
viruses
(at least, arriving in attachments!).
The virus-laden emails I've seen lately have packaged their payload in a
ZIP file rather than an executable, and have relied on social engineering
to get their targets to open the zip file and execute the contents.
1) I would suggest that archives be considered equally suspect with executable
files, especially when "nested".
2) There is little that can be done about pathological stupidity... but if we
can just toss an extra safety check or something into the path that they must
step over to do damage to themselves, that's still an improvement.
Eliminating HTML in E-mails from unknown/untrusted senders would force most
"phishing" spams out into the open by making it harder to hide misrepresented
URLs... by eliminating cases where a link looks one way but actually "under
the covers" goes to some rogue server in Romania or the like.
A simple re-coding of mail clients could detect the majority of these URL
mismatches -- when a link in an email is clicked, check the link's
visible text, if it looks like an URL, then compare it to the link's
anchor URL.
That only helps if the text you click on looks likee a URL. It could just say
"click HERE" or something.
Again, the point is that HTML is unsafe for a whole variety of reasons, and
contains or enables a great many of the subterfuges and complications that
spammers employ to evade content or antispam filters. It is NEVER necessary to
allow HTML in unsolicited, initial contact E-mail messages. There are many
reasons why we should discourage its use on an unsolicited basis from
unfamiliar
senders.
If they're the same, then everything's okay. Otherwise, pop
up a warning that tells the user that the URL may be a phish.
The problem is that you're playing a minor game of leapfrog with the spammers,
simple rules like that they can avoid triggering trivially. (Worse, the
changes
you propose for US take longer and cost more to achieve than the overnight
trivial strategy change needed by the spammers to defeat them). If we're going
to win this game, we need to change the rules in ways that they can't readily
circumvent or bypass.
I know of one mail client that is doing this at present. It really
wouldn't be difficult to do in the others, and would frustrate the
phishers to no end.
Nah, because that rule is trivial to avoid triggering.
Far better to FORCE *all* URLs out into the open, at least from unfamiliar
senders.
Gordon Peterson http://personal.terabites.com/
1977-2002 Twenty-fifth anniversary year of Local Area Networking!
Support free and fair US elections! http://stickers.defend-democracy.org
12/19/98: Partisan Republicans scornfully ignore the voters they "represent".
12/09/00: the date the Republican Party took down democracy in America.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg