Re: New e-mail attack using valid webmail accounts

["Jenkins, Matthew" <matthew.jenkins () FAIRMONTSTATE EDU>]

The account was easily identified by checking mail tracking logs.  It
was a student's account.  I am certain the attack was random as no other
accounts nor services were targeted.  We checked audit logs on other
services the student had access to (e.g. registration, payment, online
classes, etc.) and the attacker did not use the credentials anywhere
except on webmail.  The person sending the spam had an IP address
originating in the Netherlands.  Whether they were physically at that
location we'll never know [without spending a lot of resources].

Matt

Matthew Jenkins
Network/Server Administrator
Fairmont State University
304.367.4955
Visit us online at www.fairmontstate.edu


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bruggeman, John
Sent: Friday, March 07, 2008 3:27 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] New e-mail attack using valid webmail accounts

Did you find out what account was compromised or who was sending the
spam?  What I'm wondering is if the attack was random or if someone
targeted your site?

Thank you for sharing how you monitor your queues, I was wondering that
myself.

Best,
John

===================================================
John Bruggeman     Director of Information Systems
Hebrew Union College - Jewish Institute of Religion
Cincinnati   *  New York  * Los Angeles *  Jerusalem
jbruggeman () huc edu    http://www.huc.edu