Posted by: Eric Hansen
SANS recently put up an article involving handling phishing attacks within the network: https://isc.sans.edu/diary.html?storyid=14578
While most of the points are sensible, and should be what everyone follows, there is one that I actually disagree with: blocking the URL.
Most of the URLs provided in phishing emails are garbled text that no one actually looks at when the e-mail looks promising and legitimate. This also tends to cause providers to shut down websites quickly for one reason or another. This makes the effort of filtering URLs, blocking them and then unblocking them (as to not clog up the firewall/DNS lookups) more of a hassle than anything else.
There is very little anyone can do beyond security awareness training on how to educate others to not click on unknown links. What sysadmins should focus on, besides security awareness training, is proper ACLs. As a good example, lock down machines to download files to a specific central server (i.e.: mount a remote directory onto each machine), and feed each file through an AV or whatnot and if everything is detected as clean, move it to the appropriate directory. Using something like Fabric, this is far from difficult to accomplish.
Sysadmins have a lot to do on their day-to-day tasks as is, constantly adding and removing websites from the firewall and DNS zones should not be the same.