Compromise Email Accounts

[Richard Miller <miller () KUTZTOWN EDU>]

I am curious how other universities deal with compromise email accounts used to
send out spam.  Student email accounts will inevitably be compromised.  Even
with the best efforts, it can happen.  To me the trick is to reduce the
likelihood (and therefore frequency) and reduce the scope of the resulting
problems.  In particular, I think efforts to combat this can be broken down
into four major areas:


Prevention
----------
- User education - with thousands of new students each year, this is a big
  challenge.  How do you accomplish it effectively?
- An effective anti-spam solution is critical - if phishing messages are
  getting through, it will increase likelihood of compromise.
- Any other ways of preventing accounts from being compromised?

Detection
---------
- Monitor queue lengths.
- What else can be monitored?

Containment
-----------
- Do you allow students to use IMAP/POP/SMTP or are they required to use a
  web interface (this can potentially reduce the scope of attacks)?
- Do you throttle outbound email and if so, how do you accomplish this?
- Do you scan outbound mail for spam?  If so, how do you deal with false
  positives?
- Any other containment measures?

Cleanup
-------
- Cleanup will largely depend on the mail architecture used.
- Disable compromised account.
- Clean out mail delivery queue
- Any other advice?



Thank you for any advice you can offer.


--

Rick Miller
Manager of Servers and Security
Kutztown University

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature