Karsten Bräckelmann writes:

> On Sat, 2008-11-01 at 11:30 -0400, Micah Anderson wrote:
>> Joseph Brennan writes:

>
>> > Do you mean attempts to get your users to send their passwords,
>> > or fake mail pretending to be from banks?

>>
>> I mean attempts to get my users to send their passwords, are these not
>> called phishing?

>
> An important bit of information, missing from the OP. Targeted
> attacks at your users, so the general phishing BLs don't really apply.
>
> Anyway, can't you educate your users, that
>
> (a) Any administrative email will be sent from an official, well known,
> internal address? That means *not* an arbitrary address. Yes, sorry,
> the obvious...
> (b) They will *never* ever be asked for a password by mail. Period.
> Again, obvious...


We've been telling our users this for years, but there is always someone
who doesn't listen, or forgets, or something. I dont know. I find it
absolutely incredible that anyone would fall for any of these, yet I am
the one who has to clean up the mess :P

> Then block internal / administrative From addresses coming from any
> external SMTP.


Yeah, thats done, they dont get by faking our From, but the body is
constructed in a way to mislead and impersonate our "staff" or whatever,
usually by threatening people that their account will be closed, unless
they reply.

> This is not a technical way to stopping these, but an educational
> approach to prevent the most dumb and gross social engineering. At least
> the second one actually should be well-known, and I've seen ISPs
> pointing it out frequently...


Thanks, but we've done all these, and continue to do them, they are
another plank in the various mechanisms that we must employ.

micah