Educause Security Discussion mailing list archives
Re: Compromise Email Accounts
From: Zach Jansen <zjanse20 () CALVIN EDU>
Date: Wed, 21 Jan 2009 12:05:53 -0500
Prevention ---------- - User education - with thousands of new students each year, this is a big challenge. How do you accomplish it effectively?
We have some indication that user education has helped. Repeated October awareness campaigns, direct emails to people who fall for the attacks, and alerts when a widespread attack occurs. All of these have weaknesses. People are overwhelmed with communications and ignore them, 25% or so of students leave every year, etc. It helps but clearly can't be relied upon. When you think about the numbers, even if an awareness campaign was 95% effective, that's still way too many people responding.
- An effective anti-spam solution is critical - if phishing messages are getting through, it will increase likelihood of compromise. - Any other ways of preventing accounts from being compromised? Detection --------- - Monitor queue lengths.
Yes. We also investigate any incidents to find out what address the victim replied to and search the logs for anyone else who replied to it. This helps prevent future misuse. Blocking replies to known phishing response addresses helps stop a number of people from successfully responding. In my experience most people won't respond twice if you point out to them that they fell for a scam.
- What else can be monitored? Containment ----------- - Do you allow students to use IMAP/POP/SMTP or are they required to use a web interface (this can potentially reduce the scope of attacks)?
What we've seen is that compromised accounts will be utilized via webmail not via IMAP/POP.
- Do you throttle outbound email and if so, how do you accomplish this? - Do you scan outbound mail for spam? If so, how do you deal with false positives? - Any other containment measures? Cleanup ------- - Cleanup will largely depend on the mail architecture used. - Disable compromised account.
yes, also finding out if anyone else responded to the same message.
- Clean out mail delivery queue - Any other advice?
It's interesting to note that Symantec's "Report on the Underground Economy" lists the value of email passwords as $4-$30, credit cards run from $0.10-$25. Email passwords have more value than credit cards on the underground market. You might consider automated methods for dropping/blocking email from anyone who sends more than a few hundred messages at a time. Zach -- Zach Jansen Information Security Officer Calvin College Phone: 616.526.6776 Fax: 616.526.8550
Current thread:
- Compromise Email Accounts Richard Miller (Jan 21)
- <Possible follow-ups>
- Re: Compromise Email Accounts Mike Iglesias (Jan 21)
- Re: Compromise Email Accounts Jesse Thompson (Jan 21)
- Re: Compromise Email Accounts Jesse Thompson (Jan 21)
- Re: Compromise Email Accounts Zach Jansen (Jan 21)
- Re: Compromise Email Accounts Roger Safian (Jan 21)
- Re: Compromise Email Accounts Mike Porter (Jan 21)
- Re: Compromise Email Accounts Schumacher, Adam J (Jan 21)
- Re: Compromise Email Accounts Jesse Thompson (Jan 21)
- Re: Compromise Email Accounts Russell Fulton (Jan 29)
- Re: Compromise Email Accounts Sabo, Eric (Jan 29)
- Re: Compromise Email Accounts Joe Vieira (Jan 30)
- Re: Compromise Email Accounts Russell Fulton (Feb 02)
- Re: Compromise Email Accounts Daniel Bennett (Feb 03)
- Re: Compromise Email Accounts Steven Tardy (Feb 03)
(Thread continues...)