Re: Protecting from phishing

[Jesse Thompson <jesse.thompson () DOIT WISC EDU>]

John LaPrad wrote:
> We have had multiple users, faculty and students fall for phishing
> exploits in the past few months. We have an education program, we block
> spam (some still slips through), we wrote custom filters to make sure no
> one replies to phishing emails (they started embedding links to websites
> instead) and these phishing attempts are still working occasionally.
> I was wondering if it would be reasonable to front the email servers
> with a system, like some banks do, where the system remembers your IP
> and whenever you connect from a new IP, you have to take some additional
> step before getting in.
> I think that this would stop the phishers.
> Is anyone doing something like this, or heard of it?
> Maybe I am missing something, and this simply would not work?
> I appreciate any feedback.

I agree with what Gary said about the possibility phishers bypassing
this by using SMTP.  While they clearly prefer to use webmail, I have
seen them use SMTP after we boot them out of webmail but don't disable
the account.

We stay on top of most compromised accounts by monitoring when users
reply to addresses on the APER list
(http://code.google.com/p/anti-phishing-email-reply/)  We force a
password reset for these users.

If an account is compromised, then we have been able to stop the spam
from being sent out by implementing outbound spam rate limiting.  We
scan all outbound mail for spam and then rate limit only the spam to 50
messages/hour/user.  We haven't had any normal users get tripped up by
this rate limiting, and it has successfully prevented the spammers from
delivering more than a handful of messages by the time we are able to
disable the account.

Jesse

--
  Jesse Thompson
  Division of Information Technology, University of Wisconsin-Madison
  Email/IM: jesse.thompson () doit wisc edu

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature