Educause Security Discussion mailing list archives
Re: user account compromise?
From: "Brian K. Doré" <bkd () LOUISIANA EDU>
Date: Thu, 24 Apr 2008 15:19:53 -0500
Did someone simply put your users return address on a batch of spam? Or is one of your campus mail servers the source of the email? If it's the former, then there is not much you can do. You might be able to find more information about the source by examining the headers in bounced mail, but more than likely you'll just find someone with a compromised machine being used as a spambot. If the mail originated from your servers, them you should have logs to determine more about the situation. I'll pass on the responsibility questions... Brian Brian Doré University of Louisiana at Lafayette
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Barros, Jacob Sent: Thursday, April 24, 2008 3:00 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: user account compromise? Beginning around 5:30pm yesterday, SPAM messages were sent from a student's user account. The student claims to not know what is happening.. and I think believe him. He actually sent an email about the problem to our helpdesk at 1 am because he was getting so many delayed delivery and NDR messages. We are still examining his laptop. So far my assumption is that his account was compromised as copies of the message are actually in his sent items and drafts folders. Anyone disagree with that assumption? Sounds like a ludicrous question but is there any way I can track who was using his account? Also, I am unsure how to respond to the situation and no applicable policies are in place. Should campus departments or otherwise be notified of the compromise? Any non-internal legal ramifications here, i.e. I am getting many responses from users who received the message. Should I reply to them? Does that imply that we claim responsibility? Should I mention that it actually was our fault when I try to get off the blacklists we are already on? Is this topic better suited for the email admin discussion group? Any advice or shared experience would be appreciated. Jake Barros Grace College
Current thread:
- Re: user account compromise? Joe St Sauver (Apr 24)
- <Possible follow-ups>
- user account compromise? Barros, Jacob (Apr 24)
- Re: user account compromise? Ken Connelly (Apr 24)
- Re: user account compromise? Brian K. Doré (Apr 24)
- Re: user account compromise? Barros, Jacob (Apr 24)
- Re: user account compromise? Scholz, Greg (Apr 24)
- Re: user account compromise? Barros, Jacob (Apr 24)