Re: What a nightmare...
Somebody will *always* click on a link! If your system relies on no one ever making a mistake you are as big a fool as the user, in fact more so because you are paid to stop this.
In fact there are always vulnerabilities in every system, and everyone sooner or later will do something dumb, so you need multiple layers of protection:
- Try and stop spam coming in by severe email filtering and quarantine of any suspect attachment
- Educate users to be vigilant so they don't fall for it (too often)
- Disable as far as possible the ability for spam to run when it does (noexec ACLs on user-writable areas for Windows, equivalent mount option for /home, /tmp and so on in Linux, blocking macros in document readers like Office, Adobe Reader (if you are that unlucky as to have to use it), etc)
- Limit what successfully run spam can do in terms of access to other machines (network segmentation, file systems mounted read-only if at all possible, etc)
- Have a tested backup and restore system that can't be modified by the target PCs no matter what account privileges they have (also use of frequent snapshots to reduce the window of unrecoverable damage, etc)