Educause Security Discussion mailing list archives
Re: Protecting from phishing
From: Jesse Thompson <jesse.thompson () DOIT WISC EDU>
Date: Mon, 19 Oct 2009 15:25:37 -0500
John LaPrad wrote:
We have had multiple users, faculty and students fall for phishing exploits in the past few months. We have an education program, we block spam (some still slips through), we wrote custom filters to make sure no one replies to phishing emails (they started embedding links to websites instead) and these phishing attempts are still working occasionally. I was wondering if it would be reasonable to front the email servers with a system, like some banks do, where the system remembers your IP and whenever you connect from a new IP, you have to take some additional step before getting in. I think that this would stop the phishers. Is anyone doing something like this, or heard of it? Maybe I am missing something, and this simply would not work? I appreciate any feedback.
I agree with what Gary said about the possibility phishers bypassing this by using SMTP. While they clearly prefer to use webmail, I have seen them use SMTP after we boot them out of webmail but don't disable the account. We stay on top of most compromised accounts by monitoring when users reply to addresses on the APER list (http://code.google.com/p/anti-phishing-email-reply/) We force a password reset for these users. If an account is compromised, then we have been able to stop the spam from being sent out by implementing outbound spam rate limiting. We scan all outbound mail for spam and then rate limit only the spam to 50 messages/hour/user. We haven't had any normal users get tripped up by this rate limiting, and it has successfully prevented the spammers from delivering more than a handful of messages by the time we are able to disable the account. Jesse -- Jesse Thompson Division of Information Technology, University of Wisconsin-Madison Email/IM: jesse.thompson () doit wisc edu
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Protecting from phishing John LaPrad (Oct 19)
- <Possible follow-ups>
- Re: Protecting from phishing Joel Rosenblatt (Oct 19)
- Re: Protecting from phishing Paul Kendall (Oct 19)
- Re: Protecting from phishing Flynn, Gerald (Oct 19)
- Re: Protecting from phishing Jesse Thompson (Oct 19)
- Re: Protecting from phishing Leo Song (Oct 20)
- Re: Protecting from phishing Valdis Kletnieks (Oct 20)
- Re: Protecting from phishing Valdis Kletnieks (Oct 20)
- Re: Protecting from phishing John LaPrad (Oct 20)