RE: Spam prevention vs mitigation

["Vincent Yeo" <vincent () systex com sg>]

I second what Champ said.

User education is still the best. But it can only go that far. You can
spend all the time and money on telling them not to do this or do that,
but in the end they ignore your effort. No point in doing too much.

Next, everyone perspective of spam is different. Another example would
be groupons/deals emails. Some people will sign up with a mailing list
email instead of their own. Can you believe that? In the end, 3 out of
10 in the list complained of spam. The other 6 seems to accept it or
ignore it.

What I can say is that, lay down policies and rules for them to follow.
Anyone found breaking it will be on them. It can also happen to bosses
or higher management. But as long as the rule and policies are made
clear and on a frequent basis, so much so that they can remember it
off-hand, they will also be embarrassed about it. At least this takes
some heat off you.

Thanks,
Vincent

DISCLAIMER: This email message and any accompanying attachments may
contain confidential information. If you are not the intended recipient,
do not read, use, disseminate, distribute or copy this message or
attachments. If you have received this message in error, please notify
the sender immediately and delete this message. Any views expressed in
this message are those of the individual sender, except where the sender
expressly, and with authority, states them to be the views of Systex.
Before opening any attachments, please check them for viruses and
defects.
 
-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Champ Clark III
Sent: Friday, April 13, 2012 6:03 AM
To: security-basics () securityfocus com
Subject: Re: Spam prevention vs mitigation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> That being said, a let through rate of 3-6 spam/user/day is overly
> high.
>
> Thanks, Erik

Maybe, maybe not.  Depends on the "spam".  For example,  let say the
individual has signed up for an account on Victoria Secrets web site.
 When they did,  then neglected to uncheck mark the "send me e-mail"
box.

Now the user complains about "spam" Victoria Secret.  (I only use them
as an example because i've seen it happen).  The end user will swear
up and down they've "never signed up for it!".   Sure,  they can
"unsubscibe",  but then you're trusting the user to known how to do
this and to actually do it.

Is the username something common like "bob () example com" or
"mary () example com".  Common targets will get hit a lot.   It also
depend on the e-mail volume and they "type" of user they are.  Ie -
they never post to mailing list/group verses someone who always posts
to groups?   What the spam to legit email rate.



- -- 
- - Champ Clark III (cclark () quadrantsec com)
  Quadrant Information Security (http://quadrantsec.com)
  Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A
  GPG Key ID: 0381878A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPh1EcAAoJENnmXt7Lmc3KIrcH/i6+BpTKi0mToH7/d/DaT8tV
/AGv7hr5g1q2L0zNGGAu7CXKNwDDqYwT5yE2+lL11zLLYJsAZsabiGV7VUOq6SmT
DYKHNmBAWPKj/eYnBokNz2GFqMr42eHVMqNeBxmMIBTQQfI0LZBA12SxA8HTZ8Uu
gpAL+kKBRpx1TZtK9tT4fYpQNiuBZH3H6g0MV6S42+fX5dbihpHce6V3LuoPVH+C
FT9FGGuYo/80FeMTD/nfOCBygWwShXGmMTm1IeShPqt/cyZ1Z7A7sJcAbE7/sjx7
6L6MvmasA+ADSlU/vi9nCFoLCYRgC0DQ3iho2J7kyxxn6TVg9wzjM1d67m2TPZw=
=R1wQ
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an
SSL certificate.  We look at how SSL works, how it benefits your company
and how your customers can tell if a site is secure. You will find out
how to test, purchase, install and use a thawte Digital Certificate on
your Apache web server. Throughout, best practices for set-up are
highlighted to help you ensure efficient ongoing management of your
encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------