Re: user account compromise?

["Scholz, Greg" <gscholz () KEENE EDU>]

Doesn't exchange log the machine and/or IP that makes connection? So if this is a compromise of the users credentials 
you should be able to at least know the machines general location based on what IP connected to exchange with his 
credentials.

Vs. if it was from his own laptop then it has a spambot/rootkit/backdoor of some sort so you would have to analyze 
connections to that machine for the same time period.

Greg


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Barros, 
Jacob
Sent: Thursday, April 24, 2008 4:24 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] user account compromise?

Our mail server IS the source of the messages, based on looking at the headers and logs from the server itself (MS 
exchange 2003). I will dig and see what he has replied to in the last few months.  Good suggestion.  Thanks so far 
all!!! 

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Brian K. 
Doré
Sent: Thursday, April 24, 2008 4:20 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] user account compromise?

Did someone simply put your users return address on a batch of spam?   Or is one of your campus mail servers the source 
of the email?

If it's the former, then there is not much you can do.   You might be able to find more information about the source by 
examining the headers in bounced mail, but more than likely you'll just find someone with a compromised machine being 
used as a spambot.

If the mail originated from your servers, them you should have logs to determine more about the situation.

I'll pass on the responsibility questions...

Brian

Brian Doré
University of Louisiana at Lafayette



> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Barros, Jacob
> Sent: Thursday, April 24, 2008 3:00 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: user account compromise?
>
> Beginning around 5:30pm yesterday, SPAM messages were sent from a
> student's
> user account. The student claims to not know what is happening.. and I
> think
> believe him.  He actually sent an email about the problem to our
> helpdesk at 1
> am because he was getting so many delayed delivery and NDR messages. We
> are
> still examining his laptop.
>
> So far my assumption is that his account was compromised as copies of
> the
> message are actually in his sent items and drafts folders.  Anyone
> disagree
> with that assumption?  Sounds like a ludicrous question but is there
> any way I
> can track who was using his account?
>
> Also, I am unsure how to respond to the situation and no applicable
> policies
> are in place.  Should campus departments or otherwise be notified of
> the
> compromise?  Any non-internal legal ramifications here, i.e. I am
> getting many
> responses from users who received the message.  Should I reply to them?
> Does
> that imply that we claim responsibility?  Should I mention that it
> actually
> was our fault when I try to get off the blacklists we are already on?
>
> Is this topic better suited for the email admin discussion group?  Any
> advice
> or shared experience would be appreciated.
>
> Jake Barros
> Grace College