Educause Security Discussion mailing list archives
Re: Compromise Email Accounts
From: Jesse Thompson <jesse.thompson () DOIT WISC EDU>
Date: Wed, 21 Jan 2009 10:51:26 -0600
Hi Richard. See inline. Richard Miller wrote:
I am curious how other universities deal with compromise email accounts used to send out spam. Student email accounts will inevitably be compromised. Even
Emeritus faculty/staff are more prone to compromise than students. The "net" generation tends to be more aware of phishing.
with the best efforts, it can happen. To me the trick is to reduce the likelihood (and therefore frequency) and reduce the scope of the resulting problems. In particular, I think efforts to combat this can be broken down into four major areas: Prevention ---------- - User education - with thousands of new students each year, this is a big challenge. How do you accomplish it effectively?
Use multiple methods (email, postal, flyers, news, etc), and keep doing it (e.g. at the start of each semester).
- An effective anti-spam solution is critical - if phishing messages are getting through, it will increase likelihood of compromise.
yep, this is crucial. Count on 1% of your users will respond to a phish that makes it past spam filters. Hold your vendor accountable.
- Any other ways of preventing accounts from being compromised?
Scan your logs for any outbound messages destined for any of these addresses. Force a password reset for any reply to a phish. http://code.google.com/p/anti-phishing-email-reply/ Find ways to make it easier for users to identify legitimate email, so that they can more easily identify suspicious email. For instance, use digital signatures.
Detection --------- - Monitor queue lengths.
yep, but it's already too late by that point.
- What else can be monitored?
Look for changes to the users' personal webmail signatures. The spammers like to put the content of their spam into the signatures. Identify suspect IPs (most are in Nigeria) and scan your logs for suspicious activity from those IPs.
Containment ----------- - Do you allow students to use IMAP/POP/SMTP or are they required to use a web interface (this can potentially reduce the scope of attacks)?
Web is the most common vector, surprisingly.
- Do you throttle outbound email and if so, how do you accomplish this?
We looked into this, but concluded that we would have to set the limit so high for normal usage that it wouldn't effectively thwart spammers.
- Do you scan outbound mail for spam? If so, how do you deal with false positives?
Rate-limit outbound spam instead of rejecting it. We allow 50 outbound spam messages per hour per user before we reject.
- Any other containment measures? Cleanup ------- - Cleanup will largely depend on the mail architecture used. - Disable compromised account.
Prevent the user from resetting to an old password.
- Clean out mail delivery queue - Any other advice?
After disabling the account, make sure there aren't any active webmail sessions open by the spammer. Jesse -- Jesse Thompson Division of Information Technology, University of Wisconsin-Madison Email/IM: jesse.thompson () doit wisc edu
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Compromise Email Accounts Richard Miller (Jan 21)
- <Possible follow-ups>
- Re: Compromise Email Accounts Mike Iglesias (Jan 21)
- Re: Compromise Email Accounts Jesse Thompson (Jan 21)
- Re: Compromise Email Accounts Jesse Thompson (Jan 21)
- Re: Compromise Email Accounts Zach Jansen (Jan 21)
- Re: Compromise Email Accounts Roger Safian (Jan 21)
- Re: Compromise Email Accounts Mike Porter (Jan 21)
- Re: Compromise Email Accounts Schumacher, Adam J (Jan 21)
- Re: Compromise Email Accounts Jesse Thompson (Jan 21)
- Re: Compromise Email Accounts Russell Fulton (Jan 29)
- Re: Compromise Email Accounts Sabo, Eric (Jan 29)
- Re: Compromise Email Accounts Joe Vieira (Jan 30)
- Re: Compromise Email Accounts Russell Fulton (Feb 02)
(Thread continues...)