On Tue, 11 Aug 2009, Matus UHLAR - fantomas wrote:
On 10.08.09 14:56, Charles Gregory wrote:
Not at all. I know who logs on when, and I can easily disable their
access.
I should made that more clear: If there are more _concurrent_ users on
the same IP (home/office network with NAT), you only can block them all
or none of them. Even if they have separate mailboxes. You need SMTP
auth to be able to block only the spamming one.
(nod) You are correct, though on our net this is a rare situation
Though again, I ask the question, for those who have tried it both ways,
is my seat-of-the-pants guess that theft of a password and illegitimate
use from third party locations a greater or lesser risk than this?
Don't you even run webmail being accessible from outside your network?
(nod) Of course. And *that* is actually the promoted alternative for
people 'roaming' outside our network. Again, I could be wrong, and would
welcome input on this, but my feeling is that a webmail interface is a lot
more trouble for a spammer to write scripts for?
What I'm saying is that it's much easier to block authenticated user,
especially if he changes IPs.
Again, this is one of those YMMV situations. In my case, I can identify
the user, and then I filter their connection for *all* port 25. Obviously
something you could not do with a large corporate intranet through a NAT,
but sufficient for my needs.
But just the same, I would *like* to add SMTP-AUTH, as long as I have a
clear conviction that I am not significantly increasing the risk of
having a user spoofed remotely.
I found it out that it's much safer to ask everyone to authenticate, it
makes problem with more-or-less anonymous IP addresses (nearly) disappear.
(nod again) The key word being 'anonymous'. I would be forced to choose
SMTP-AUTH and require it for all clients if I could not identify who was
connecting. :)
.... Luckily many phishes are detectable by SA or ClamAV.
Many, but not all. And... (Charles lowers his voice) ...I have some of the
most computer-ignorant users on the planet. Ie. Had a caller this morning
that had to be told that ths big box on the floor with all the wires
plugged in the back was what we called "the computer". (smack forehead)
Which leads to another question. Has anyone written a really *good*
generic rule for these phishes? Trouble is, legitimate users could send
'forms' via mail with many of the headers I might test. But I notice they
all come from odd phone numbers or freemail addresses, so I'm working with
that, but the variability of the 'information' lines is annoying. Anyone
got a good generic 'spotter' set of rules/meta?
I think I'll take all phishes that come onto our company's mailboxes and
will try to create some filters...
LOL - Shoulda kept reading.
- C
