<SPAM> Re: user account compromise?

[Stephen John Smoogen <smooge () UNM EDU>]

Barros, Jacob wrote:
> Ken and all.  That was it.  He did reply to one of those phishing scams.
> No more than 12 hours before the SPAM was launched.  Any non-internal
> legal advice would be appreciated.

I won't even try to give 'legal' advice as I am not a lawyer and do not
know anything about the laws in your state, region, etc etc.

The two big things I would do is log all time being used for this event,
and if you are not trained in forensics find someone who is before
touching any of the machines to see whats going on. [If thats already
too late, then I would stick with logging all time and actions done by
administrators and users.] After the cleanup is done, do a post-mortem
with your staff, your management and university legal to go over how
much this cost the university, the amount of downtime due to mail not
being accepted, etc. From this management and legal can come up with a
better idea of what should be done (if in the future we were to spend X
hours making sure users are educated, we wont spend Y hours dealing with
this.. but may only spend Z time.)


--
Stephen Smoogen -- ITS/Linux Administrator
  MSC02 1520 1 University of New Mexico Albuquerque, NM  87131-0001
  Phone: (505) 277-8219  Email: smooge () unm edu
 How far that little candle throws his beams! So shines a good deed
 in a naughty world. = Shakespeare. "The Merchant of Venice"