Educause Security Discussion mailing list archives
Re: Compromise Email Accounts
From: Steven Tardy <sjt5 () ITS MSSTATE EDU>
Date: Tue, 3 Feb 2009 14:10:59 -0600
i had a "lightbulb" moment a few months ago. most of the compromised logins are from ip's contained in the spamhaus sbl list. 1) check every login against the spamhaus sbl list. 2) reject email's with "X-Originating-IP" in the spamhaus sbl list. ps: augment the spamhaus bl with your own bl after each compromised account. steven tardy network services mississippi state university Richard Miller wrote:
I am curious how other universities deal with compromise email accounts used to send out spam. Student email accounts will inevitably be compromised. Even with the best efforts, it can happen. To me the trick is to reduce the likelihood (and therefore frequency) and reduce the scope of the resulting problems. In particular, I think efforts to combat this can be broken down into four major areas: Prevention ---------- - User education - with thousands of new students each year, this is a big challenge. How do you accomplish it effectively? - An effective anti-spam solution is critical - if phishing messages are getting through, it will increase likelihood of compromise. - Any other ways of preventing accounts from being compromised? Detection --------- - Monitor queue lengths. - What else can be monitored? Containment ----------- - Do you allow students to use IMAP/POP/SMTP or are they required to use a web interface (this can potentially reduce the scope of attacks)? - Do you throttle outbound email and if so, how do you accomplish this? - Do you scan outbound mail for spam? If so, how do you deal with false positives? - Any other containment measures? Cleanup ------- - Cleanup will largely depend on the mail architecture used. - Disable compromised account. - Clean out mail delivery queue - Any other advice? Thank you for any advice you can offer.
Current thread:
- Re: Compromise Email Accounts, (continued)
- Re: Compromise Email Accounts Zach Jansen (Jan 21)
- Re: Compromise Email Accounts Roger Safian (Jan 21)
- Re: Compromise Email Accounts Mike Porter (Jan 21)
- Re: Compromise Email Accounts Schumacher, Adam J (Jan 21)
- Re: Compromise Email Accounts Jesse Thompson (Jan 21)
- Re: Compromise Email Accounts Russell Fulton (Jan 29)
- Re: Compromise Email Accounts Sabo, Eric (Jan 29)
- Re: Compromise Email Accounts Joe Vieira (Jan 30)
- Re: Compromise Email Accounts Russell Fulton (Feb 02)
- Re: Compromise Email Accounts Daniel Bennett (Feb 03)
- Re: Compromise Email Accounts Steven Tardy (Feb 03)
- Re: Compromise Email Accounts Jeremy Mooney (Feb 03)
- Re: Compromise Email Accounts Steven Tardy (Feb 03)
- Re: Compromise Email Accounts Jeremy Mooney (Feb 04)
- Re: Compromise Email Accounts Kellogg, Brian D. (Feb 04)