Educause Security Discussion mailing list archives
<SPAM> Re: user account compromise?
From: Paul Russell <prussell () ND EDU>
Date: Thu, 24 Apr 2008 23:15:35 -0400
On 4/24/2008 3:34 PM, Joe St Sauver wrote:
There has been an uptick in spam sent via compromised accounts nationally lately; common compromise vectors are either weak passwords being brute forced, or passwords being phished (for example, did the student recently reply to a message "from you" asking him to verify his password?) When it comes to tracking who may have been accessing his account, that's going to be a function of a couple of things: -- Do all your server's logs just show activity from the laptop? Or, once the users credentials were obtained, did they log on directly from somewhere else? (Eastern Europe, the far east, Nigeria, whatever?) Or are all the logins via random broadband hosts (which are probably botted consumer PCs)?
As Joe notes, miscreants have been targetting colleges and universities with phishing attacks for the last few months, then using compromised accounts to send more phishing spam to other institutions, as well as 419 spam, lotto spam, and who knows how many other kinds of spam. Message headers on many of the university-sourced spam messages that I have seen indicate that the webmail sessions originated from IP addresses assigned to service providers in Lagos, Nigeria. If you have any of the spam messages in question, check the full headers. If you do not have any of the spam messages, check the http access log on the webmail servers for the timeframe in which the messages were sent. I am not suggesting that the user's computer should not be checked for malware, just reporting what I have observed on the spam that I have seen. -- Paul Russell, Senior Systems Administrator OIT Messaging Services Team University of Notre Dame prussell () nd edu
Current thread:
- <SPAM> Re: user account compromise? Stephen John Smoogen (Apr 24)
- <Possible follow-ups>
- <SPAM> Re: user account compromise? Cal Frye (Apr 24)
- Re: <SPAM> Re: user account compromise? Dick Jacobson (Apr 24)
- Re: <SPAM> Re: user account compromise? Stephen John Smoogen (Apr 24)
- <SPAM> RE: user account compromise? Jenkins, Matthew (Apr 24)
- <SPAM> Re: user account compromise? Paul Russell (Apr 24)