I wrote: >> I'd still rather block the offending message than intercept responses >> to it (as that means it has suckered users, which means it has wasted >> their time). I see APER as a possible aid in that pursuit, though as >> Jesse has mentioned, it is not fully reliable (as to be determined). >> Still, these little checks add up, so even if APER gives a message 0.1 >> points, that might be enough to mark it as spam or even block it at >> the door. >> >> As a secondary defense, blocking replies sounds like a grand idea.
Mandy wrote: > I absolutely agree that the messages should be stopped on their way > in. I'd rather our users not have an opportunity to be suckered. But > at least knowing about the replies gives us a way to target our > education efforts (now, where'd I put that LART...) Along this light, I'd love to honeypot it; complement phishing detection with an automated responder along the lines of "okay, here's my login information" which of course is connected to a meaningless account that merely informs the admins that somebody has logged on. With that information, the admins can dig up the offending message and see who else received it, they can examine the IP of the login and track who else it has logged in as, and of course, the authorities can be involved. All before the users would have concluded there was a problem. Going the other direction, I read (maybe a year ago?) that some US government organization was actually sending fake phishing emails to their users. When the user clicks on it, they are informed of what they did and how to prevent it. KnujOn (or maybe it was somebody else presenting at this year's MIT Spam Conference?) is now pushing for sites taken down for phishing (et al) to be replaced with information on what happened rather than generic placeholders or nothing at all. This is a GRAND idea!
