I’m currently reading /r/sysadmin on reddit at the moment, specifically this post from someone ranting that a user complain that “malware spam e-mail” went to their mail client’s spam folder. While this is classed as a rant on the site and not intended as deep analysis of a problem, their entire comment on this was:
What the hell? This is exactly what it should have done!
I’m really not sure what to say to this, or to the responses that suggest telling the “user” that they’re too dumb to have a job involving computers, except to say that this is wrong-headed thinking of the highest order.
If an email is known to be ‘bad’, that is, if we can say with certainty that it contains malware, or links to malware, then it simply shouldn’t be delivered to the mailbox at all. If something is in the mailbox then it’s a fair possibility it will be opened. Not because ‘users are dumb’ but because we’re all human and can click on anything by accident or at the end of a long day. And a simple scan of /r/sysadmin will show that IT professionals are not immune to doing this themselves.
Leaving aside the issue of things going undetected by your security systems, if your email security scans can identify something with 90% confidence or more as malware-related, or phishing, or even ‘good old-fashioned spam’ then it should be possible to tell it to simply not deliver the email. It should also be possible to quarantine these messages in an area that is separate from the mailbox and prevent non-technical users from being able to release malware by allowing the network manager to control who has access to which types of blocked content.
If your email scanner cannot do that then you have a bad email scanner. If your email scanner can do that but known bad emails end up being delivered to mailboxes anyway then whoever is in charge of that scanner is doing a bad job.
Another post on this thread sums up the reason why a lot of ‘users’ (I do prefer the term ‘customer’) dislike IT professionals quite well:
At some point, these mouth breathers have to take some personal goddamn responsibility. If you walked out into the road without looking because the light said you could, then you get run over, guess what? You’re still dead.
Charmed, I’m sure. Actually, I agree that people do need to take responsibility for their own actions. I won’t, in fairness, defend people who store important email messages in their mail client’s ‘trash’ folder and expect it to still be there the next day.
But responsibility is a two-way thing. I’m responsible for providing the best service to my customers that I can with the budget I have. To me, that includes not delivering known malicious emails to their mailbox, and not calling the customers stupid when my systems get it wrong.
It’s so rare that malware breaks through into our email accounts where I work that our customers pretty much all tell me straight away…
And you know what? I’m glad they tell me and I always thank them politely and assure them they’ve done the right thing by putting a ticket in about it, because that’s much better than guessing for themselves and running malware code.