On 2010-05-19 8:23 AM, Kenneth Marshall wrote: > On Wed, May 19, 2010 at 07:03:12AM -0400, Charles Marcus wrote: >> He wasn't asking how to delete the queued messages, he was looking for a >> way to limit the damage if a user account gets compromised in the future >> (this subject has come up before), and rate-limiting is one way to do >> that. Enforcing strong passwords is another.
> With replies to phishing attempts and keyboard/password sniffers, > limiting the damage is often the first step and can also be used to > help identify the compromised accounts. Strong passwords do not > help in these situations. I agree - maybe you misread my response to mean either/or? I did word that part of my response badly. What I meant to suggest was to use *both*, to provide a *layered* approach. Imo, strong passwords comes first - then rate-limit to detect the idiots who fail the phish tests and disable their accounts until the damage can be dealt with appropriately. Depending on the situation (good for corporates, bad for ISPs), you could also consider adding an internal 'phish test' occasionally (monthly? quarterly?), to catch the idiots in the act, so you can engage them in training sessions on how to recognize phishing attempts. -- Best regards, Charles
