J. Gomez writes: > Not an option. And sorry but it is not affordable to employ > security experts in everyday clerical tasks.
It doesn't require *any* *security* expertise on the part of the clerks to deal with the exploit you described in a business context. Since it's direct mail, in a business context it's reasonable to suppose you have a database of qualified vendors including their email addresses, and one would hope an IT department capable of implementing DMARC and filtering out URLs not backed by a DMARC pass from a vendor registered with your company. Ie, you deal only with companies which always send DMARC-conforming mail and publish p=reject, and have IT configure the MTA to quarantine any other mail addressed to clerks which contains clickable links. So all the clerks need to learn is to report unclickable links so that threats can be forwarded to corporate security and unregistered but valid vendor addresses can be registered. We already have that exploit beat in the business context; it's now up to businesses to adopt safe practices. The problems we must still address are other problems. > because of email being inherently insecure, and because the > security experts cannot agree to make it secure after 30 years of > Internet email been invented. The exploit you described is indeed *inherent* in a mail system which allows mail to be sent from anyone to anyone without previous acquaintance. In that context, the mail-reading user is always going to be the biggest part of the attack surface. _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc