Re: New e-mail attack using valid webmail accounts

[Jesse Thompson <jesse.thompson () DOIT WISC EDU>]

Michael H. Martel wrote:
> --On March 5, 2008 9:08:22 PM -0500 "Jenkins, Matthew"
> <matthew.jenkins () FAIRMONTSTATE EDU> wrote:
>
> > Luckily we monitor our queues and were paged when this attack took place.
> > We quickly responded by investigating, disabling the account, and then
>
> What do you use to monitor your queues ?  This sounds like something a
> lot of sites should be doing.

At UW Madision, we spam-scan our outbound mail, but we only log the
results at this point.  You'd be surprised how difficult it is to
identify spam originating from authenticated users.  Anti-spam relies
heavily on IP blacklists/reputation services, so if you scan outbound
mail you will have a high false negative rate since your IP space will
not be on any blacklists.  You'll also have a hight false positive rate
since many legitimate customers will be assigned a blacklisted IP by
their ISP.  Relying on pure content scanning is not enough for many
spam/phishing campaigns.

If you don't impose any rate control on authenticated traffic (we
don't), it is easy to detect the abuse since your outbound mail queues
will spike; especially if the spammer is sending to a lot of invalid
addressees.  It helps if you separate your queues so that outbound
authenticated mail is not lumped in with outbound forwarded mail.

If you do impose rate control on authenticated traffic, then
identification of abuse will be harder since it won't stand out from the
crowd.

Jesse

--
  Jesse Thompson
  UW Madison
  Email/IM: jesse.thompson () doit wisc edu

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature