Educause Security Discussion mailing list archives

Re: Spammer got into my Webmail

From: Robin Polak <robin.polak () GMAIL COM>
Date: Wed, 10 Sep 2008 11:07:30 -0400

Thank you very much for the pointers.  I am checking out those lists.

On Wed, Sep 10, 2008 at 05:38, Ben Spencer <ben.spencer () moody edu> wrote:

 Probably no help with this specific case or cleaning up, but, you might
find it useful to join the HIED-EMAILADMIN list (
http://listserv.nd.edu/archives/hied-emailadmin.html). That might also
lead you to http://code.google.com/p/anti-phishing-email-reply/ and
http://groups.google.com/group/anti-phishing-email-reply-discuss list
which discuss these things and publish reply-to addresses which can be
blocked (once they are known) which all might be helpful with email matters
(and protecting yourself from future such issues).



Benji Spencer

System Administrator



Moody Bible Institute

Phone: 312-329-2288

Fax: 312-329-8961



*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Robin Polak
*Sent:* Tuesday, September 09, 2008 9:04 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* [SECURITY] Spammer got into my Webmail



Hello,

   One of my webmail users was fooled into revealing his credentials to a
spammer and now I am dealing with the backlash of all this spam having left
our smtp servers as well as much mail still left in the outbound sendmail
queues.  Is there any advice that any of you could provide me as far as
filtering out the spam from my sendmail queues as well as any procedures I
could follow to counteract the effects of blacklisting such as a generally
checked whitelist?  In addition, as a result of this incident I have found a
flaw in the tracking of mail between our webmail (Horde/IMP), Cyrus IMAP,
and Sendmail.  What sort of suggestion could be made as far as effectively
being able to correlate my logs?  Is there a way to put a header into a
message leaving IMP indicating the user-name that was used to login to
Horde?  This would have been quite usefull since in some way the spammer was
able to spoof the From address in the message to be a yahoo.com  address.

--
Robin Polak, Network Manager
College of Mount Saint Vincent
E-Mail: robin.polak () gmail com
V. 718-405-3293




--
Robin Polak
E-Mail: robin.polak () gmail com
V. 917-494-2080

Current thread:

Spammer got into my Webmail Robin Polak (Sep 09)
- <Possible follow-ups>
- Re: Spammer got into my Webmail Dan Oachs (Sep 09)
- Re: Spammer got into my Webmail Mark Montague (Sep 09)
- Re: Spammer got into my Webmail Robin Polak (Sep 09)
- Re: Spammer got into my Webmail Joel Rosenblatt (Sep 09)
- Re: Spammer got into my Webmail Robin Polak (Sep 09)
- Re: Spammer got into my Webmail Robin Polak (Sep 09)
- Re: Spammer got into my Webmail Ben Spencer (Sep 10)
- Re: Spammer got into my Webmail Robin Polak (Sep 10)