why IPv6 isn't ready for prime time, SMTP edition
lowen at pari.edu
Wed Mar 26 19:56:23 UTC 2014
On 03/26/2014 02:59 PM, Valdis.Kletnieks at vt.edu wrote:
> You *do* realize that the OS vendor can't really do much about users
> who click on stuff they shouldn't, or reply to phishing emails, or
> most of the other ways people *actually* get pwned these days? Hint:
> Microsoft *tried* to fix this with UAC. The users rioted.
Yep, I do realize that and I do remember the UAC 'riots.' But the OS
vendor can make links that are clicked run in a sandbox and make said
sandbox robust. A user clicking on an e-mail link should not be able to
pwn the system. Period.
Most of the phishing e-mails I've sent don't have a valid reply-to,
from, or return-path; replying to them is effectively impossible, and
the linked/attached/inlined payload is the attack vector.
More information about the NANOG