On Feb 26, 2009, at 8:28 AM, John R. Levine wrote:
This also pre-dates organized crime becoming heavily involved, and
pre-dates the obsession with browser exploits. Back then a lot of
spam was sent by semi-legitimate marketers from the US. These days
all the bad guys are out to get you to click on a single link.
Right. Back in the 90s spammers were trying to build their lists,
and used fake opt outs to do so. These days through a combination
of web scraping and dictionary attacks, they have more addresses
than they know what to do with.
My advice to people these days is to unsub if a message is from
someone you've corresponded with before, or if it looks like someone
who is legit but clueless. Then hit the spam button.
Regards,
John Levine, [email protected], Primary Perpetrator of "The Internet
for Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-
Mayor
"More Wiener schnitzel, please", said Tom, revealingly.
You're that confident people know the difference between a real
communication from a party they conversed with before and a phish
designed to look like the same thing?
Anyone knowledgeable enough to determine the difference won't need to
be educated, and anyone needing education is not going to be capable
of reliably differentiating.
The only advice that makes sense is "don't click links in e-mail".
The exceptions are (expected) personal communication, or messages that
you fully expected to arrive at the time and date you received them.
There are all kinds of corner cases that could be argued, but I
suspect this is rapidly heading off-topic.
The gist of my point is that users should never be trained to trust e-
mail that hasn't been authenticated.
--
bk
