On Feb 26, 2009, at 8:28 AM, John R. Levine wrote:
This also pre-dates organized crime becoming heavily involved, and pre-dates the obsession with browser exploits. Back then a lot of spam was sent by semi-legitimate marketers from the US. These days all the bad guys are out to get you to click on a single link.
Right. Back in the 90s spammers were trying to build their lists, and used fake opt outs to do so. These days through a combination of web scraping and dictionary attacks, they have more addresses than they know what to do with.
My advice to people these days is to unsub if a message is from someone you've corresponded with before, or if it looks like someone who is legit but clueless. Then hit the spam button.
Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://www.johnlevine.com, ex- Mayor "More Wiener schnitzel, please", said Tom, revealingly.
You're that confident people know the difference between a real communication from a party they conversed with before and a phish designed to look like the same thing? Anyone knowledgeable enough to determine the difference won't need to be educated, and anyone needing education is not going to be capable of reliably differentiating. The only advice that makes sense is "don't click links in e-mail". The exceptions are (expected) personal communication, or messages that you fully expected to arrive at the time and date you received them. There are all kinds of corner cases that could be argued, but I suspect this is rapidly heading off-topic. The gist of my point is that users should never be trained to trust e- mail that hasn't been authenticated. -- bk