phishing attacks are very common nowadays. Innocent victims click on suspicious links in emails and get infected. I know that to prevent phishing, one of the ways is to educate users on the proper usage of emails and preventive measures. However, my opinion is why not totally strip html links in email messages at the exchange/mail server such that no one has the chance to click on any links ? Modern email servers are able to do this type of filtering. However, i am not sure what are the implications to users. Have you done this before and what obstacles have you faced? thanks
Asked
Active
Viewed 236 times
3
-
1Phishing is where the user clicks on a link that takes them to a site that looks like a legitimate website where they'd normally enter their passwords. What you're describing seems to be some sort of drive by download attack, with a malicious link. – timuzhti Nov 03 '15 at 08:46
1 Answers
2
Of course you could strip all the html links off your e-mails centrally. If you try this, you're likely to get hit by a mass of users complaining about non-working links. You could also just revert html e-mail to text-only in that way images would not get loaded, and all links are visible directly to the user. Bear in mind one of the classic phishing education points is to copy a link to the browser's address bar and see if it appears to be correct. This could be done directly in the mail without having the risk that a user accidentally sends the HTTP request when a malicious URL is copied in the address bar.
Nevertheless, in both "solutions" you will reduce the usability of your e-mail system to increase security. This is the classic trade off. While I agree that sometimes this must be done, I think you will not win with your personnel if you do this. You likely end up annoying more users and result in a less secure environment because people will start to overhear you. In my presented solution (no html mail) the user could still browse to the URL, and based on my experience they will. It's the same as Windows UAC where everyone clicks yes anyway.
Your solution, if I don't mistake it will strip all URLs hence no user could deliberately copy the link and browse to the site. However - and this is where people will start to hate you - not all links are harmful and there is quite often a reason to send a link. Your solution prevents this and people will have to find a way around it. At the end you made the mistake and instead of being a business enabler (god I hate this term), you are blocking business's from working.
So with phishing I would suggest regular education and awareness programms. I know they are not bullet-proof. We all have done it and later run a test case where still people clicked on the links. That's how some of the people are wired and for some it helps to get back to them personally, for others it doesn't (my example the CEO of the client...).
Zonk
- 458
- 2
- 6
-
thanks for sharing your experiences. I guess ultimately, it still comes down to education. – Pang Ser Lark Nov 03 '15 at 08:55