Re: Compromise Email Accounts

[Zach Jansen <zjanse20 () CALVIN EDU>]

> Prevention
> ----------
> - User education - with thousands of new students each year, this is a big
>   challenge.  How do you accomplish it effectively?


We have some indication that user education has helped. Repeated October awareness campaigns, direct emails to people 
who fall for the attacks, and alerts when a widespread attack occurs. All of these have weaknesses. People are 
overwhelmed with communications and ignore them, 25% or so of students leave every year, etc. It helps but clearly 
can't be relied upon. When you think about the numbers, even if an awareness campaign was 95% effective, that's still 
way too many people responding. 


> - An effective anti-spam solution is critical - if phishing messages are
>   getting through, it will increase likelihood of compromise.
> - Any other ways of preventing accounts from being compromised?
>
> Detection
> ---------
> - Monitor queue lengths.

Yes. We also investigate any incidents to find out what address the victim replied to and search the logs for anyone 
else who replied to it. This helps prevent future misuse. Blocking replies to known phishing response addresses helps 
stop a number of people from successfully responding. In my experience most people won't respond twice if you point out 
to them that they fell for a scam. 


> - What else can be monitored?
>
> Containment
> -----------
> - Do you allow students to use IMAP/POP/SMTP or are they required to use a
>   web interface (this can potentially reduce the scope of attacks)?

What we've seen is that compromised accounts will be utilized via webmail not via IMAP/POP. 

> - Do you throttle outbound email and if so, how do you accomplish this?
> - Do you scan outbound mail for spam?  If so, how do you deal with false
>   positives?
> - Any other containment measures?
>
> Cleanup
> -------
> - Cleanup will largely depend on the mail architecture used.
> - Disable compromised account.

yes, also finding out if anyone else responded to the same message. 


> - Clean out mail delivery queue
> - Any other advice?

It's interesting to note that Symantec's "Report on the Underground Economy" lists the value of email passwords as 
$4-$30, credit cards run from $0.10-$25. Email passwords have more value than credit cards on the underground market. 

You might consider automated methods for dropping/blocking email from anyone who sends more than a few hundred messages 
at a time.


Zach
-- 

Zach Jansen
Information Security Officer
Calvin College
Phone: 616.526.6776
Fax: 616.526.8550