Karsten Bräckelmann writes:

> On Sat, 2008-11-01 at 11:30 -0400, Micah Anderson wrote:
>> Joseph Brennan writes:

>> > Do you mean attempts to get your users to send their passwords,
>> > or fake mail pretending to be from banks?

>> I mean attempts to get my users to send their passwords, are these not
>> called phishing?

> An important bit of information, missing from the OP. Targeted
> attacks at your users, so the general phishing BLs don't really apply.
> Anyway, can't you educate your users, that
> (a) Any administrative email will be sent from an official, well known,
> internal address? That means *not* an arbitrary address. Yes, sorry,
> the obvious...
> (b) They will *never* ever be asked for a password by mail. Period.
> Again, obvious...

We've been telling our users this for years, but there is always someone
who doesn't listen, or forgets, or something. I dont know. I find it
absolutely incredible that anyone would fall for any of these, yet I am
the one who has to clean up the mess :P

> Then block internal / administrative From addresses coming from any
> external SMTP.

Yeah, thats done, they dont get by faking our From, but the body is
constructed in a way to mislead and impersonate our "staff" or whatever,
usually by threatening people that their account will be closed, unless
they reply.

> This is not a technical way to stopping these, but an educational
> approach to prevent the most dumb and gross social engineering. At least
> the second one actually should be well-known, and I've seen ISPs
> pointing it out frequently...

Thanks, but we've done all these, and continue to do them, they are
another plank in the various mechanisms that we must employ.