<SPAM> Re: user account compromise?

[Paul Russell <prussell () ND EDU>]

On 4/24/2008 3:34 PM, Joe St Sauver wrote:
> There has been an uptick in spam sent via compromised accounts nationally
> lately; common compromise vectors are either weak passwords being brute
> forced, or passwords being phished (for example, did the student recently
> reply to a message "from you" asking him to verify his password?)
>
> When it comes to tracking who may have been accessing his account, that's
> going to be a function of a couple of things:
>
> -- Do all your server's logs just show activity from the laptop? Or,
>    once the users credentials were obtained, did they log on directly
>    from somewhere else? (Eastern Europe, the far east, Nigeria, whatever?)
>    Or are all the logins via random broadband hosts (which are probably
>    botted consumer PCs)?

As Joe notes, miscreants have been targetting colleges and universities with
phishing attacks for the last few months, then using compromised accounts to
send more phishing spam to other institutions, as well as 419 spam, lotto
spam, and who knows how many other kinds of spam.

Message headers on many of the university-sourced spam messages that I have
seen indicate that the webmail sessions originated from IP addresses assigned
to service providers in Lagos, Nigeria.

If you have any of the spam messages in question, check the full headers. If
you do not have any of the spam messages, check the http access log on the
webmail servers for the timeframe in which the messages were sent.

I am not suggesting that the user's computer should not be checked for
malware, just reporting what I have observed on the spam that I have seen.

--
Paul Russell, Senior Systems Administrator
OIT Messaging Services Team
University of Notre Dame
prussell () nd edu