incubator-ooo-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <robw...@apache.org>
Subject Re: New Guy, Suggestion
Date Tue, 08 May 2012 17:23:09 GMT
On Tue, May 8, 2012 at 9:21 AM, Bill Dillinger <cjbill@his.com> wrote:
> I hope this is an appropriate idea to put forward and that it is OK to post
> it here. I can not always clearly identify the subject or author of an email
> from ooo-users as being from that list. I have always read that, for
> security, one should not open mail one does not expect from an unknown
> author. To reduce this problem other mail lists I am on precede the subject
> with the name of the group in square brackets when sending the mail to the
> group, as example [ooo-users] or perhaps in our case simply [OOo] as some
> seem to use.  If the list would do this I would be much more comfortable
> opening emails with subject lines and authors I don't recognize.
>

This is not really the best current advice.

A few thoughts:

1) What makes you think that someone cannot post a malicious file to
this mailing list?

2) OK. maybe this list strips out attachments and does not forward
them.  But in general, mailing lists are not secured against malicious
file attachments.

3) What prevents someone from sending out emails containing a
malicious file but they bypass the list and just type [OOo] in the
header.  Such 'phishing' attacks via email are quite common.

4) But you might say that this list is so small and obscure, that it
would not be worth someone's time to send out spam pretending to be
from [OOo].  It is not like we're a large bank or some other retailer
typically spoofed in phishing attacks.  But then there is "spear
phishing', where someone goes specifically after you.  They search the
web and see that you are posting to this list, so when they send you
the malicious file they make it look like it is coming from a source
familiar to you, a familiar list, or even a familiar person.  This
happens more times than you might think.

So best practice is not to open unexpected file attachments, even from
people you know.  It might not really be from them.  Don't rely on
"recognition" of names or lists.  Those are trivial to fake.  Digital
signatures can also help, but not everyone uses them.

-Rob

---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org


Mime
View raw message