Educause Security Discussion mailing list archives
Re: New e-mail attack using valid webmail accounts
From: Jesse Thompson <jesse.thompson () DOIT WISC EDU>
Date: Fri, 7 Mar 2008 11:29:23 -0600
Michael H. Martel wrote:
--On March 5, 2008 9:08:22 PM -0500 "Jenkins, Matthew" <matthew.jenkins () FAIRMONTSTATE EDU> wrote:Luckily we monitor our queues and were paged when this attack took place. We quickly responded by investigating, disabling the account, and thenWhat do you use to monitor your queues ? This sounds like something a lot of sites should be doing.
At UW Madision, we spam-scan our outbound mail, but we only log the results at this point. You'd be surprised how difficult it is to identify spam originating from authenticated users. Anti-spam relies heavily on IP blacklists/reputation services, so if you scan outbound mail you will have a high false negative rate since your IP space will not be on any blacklists. You'll also have a hight false positive rate since many legitimate customers will be assigned a blacklisted IP by their ISP. Relying on pure content scanning is not enough for many spam/phishing campaigns. If you don't impose any rate control on authenticated traffic (we don't), it is easy to detect the abuse since your outbound mail queues will spike; especially if the spammer is sending to a lot of invalid addressees. It helps if you separate your queues so that outbound authenticated mail is not lumped in with outbound forwarded mail. If you do impose rate control on authenticated traffic, then identification of abuse will be harder since it won't stand out from the crowd. Jesse -- Jesse Thompson UW Madison Email/IM: jesse.thompson () doit wisc edu
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- New e-mail attack using valid webmail accounts Jenkins, Matthew (Mar 05)
- <Possible follow-ups>
- Re: New e-mail attack using valid webmail accounts John Ladwig (Mar 06)
- Re: New e-mail attack using valid webmail accounts Jenkins, Matthew (Mar 06)
- Re: New e-mail attack using valid webmail accounts Bradley, Stephen W. Mr. (Mar 06)
- Re: New e-mail attack using valid webmail accounts Michael H. Martel (Mar 06)
- Re: New e-mail attack using valid webmail accounts Jenkins, Matthew (Mar 06)
- Re: New e-mail attack using valid webmail accounts Jesse Thompson (Mar 07)
- Re: New e-mail attack using valid webmail accounts Jesse Thompson (Mar 07)
- Re: New e-mail attack using valid webmail accounts Bruggeman, John (Mar 07)
- Re: New e-mail attack using valid webmail accounts Jenkins, Matthew (Mar 10)
- Re: New e-mail attack using valid webmail accounts Zach Jansen (Mar 10)
- Re: New e-mail attack using valid webmail accounts Jenkins, Matthew (Mar 10)
- Re: New e-mail attack using valid webmail accounts Zach Jansen (Mar 14)
- New e-mail attack using valid webmail accounts Kenneth Arnold (Mar 14)
- Re: New e-mail attack using valid webmail accounts Brian Friday (Mar 14)
- Re: New e-mail attack using valid webmail accounts Jenkins, Matthew (Mar 14)
- Re: New e-mail attack using valid webmail accounts Curt Wilson (Mar 14)