Re: Compromise Email Accounts

[Jesse Thompson <jesse.thompson () DOIT WISC EDU>]

Also, consider searching the archives of the
HIED-EMAILADMIN () LISTSERV ND EDU list.  There have been many discussions
of this topic on that list.

Jesse

Jesse Thompson wrote:
> Hi Richard.  See inline.
>
> Richard Miller wrote:
> > I am curious how other universities deal with compromise email
> > accounts used to
> > send out spam.  Student email accounts will inevitably be
> > compromised.  Even
>
> Emeritus faculty/staff are more prone to compromise than students.  The
> "net" generation tends to be more aware of phishing.
>
>
> > with the best efforts, it can happen.  To me the trick is to reduce the
> > likelihood (and therefore frequency) and reduce the scope of the
> > resulting
> > problems.  In particular, I think efforts to combat this can be broken
> > down
> > into four major areas:
> >
> >
> > Prevention
> > ----------
> > - User education - with thousands of new students each year, this is a
> > big
> >   challenge.  How do you accomplish it effectively?
>
> Use multiple methods (email, postal, flyers, news, etc), and keep doing
> it (e.g. at the start of each semester).
>
>
> > - An effective anti-spam solution is critical - if phishing messages are
> >   getting through, it will increase likelihood of compromise.
>
> yep, this is crucial.  Count on 1% of your users will respond to a phish
> that makes it past spam filters.  Hold your vendor accountable.
>
>
> > - Any other ways of preventing accounts from being compromised?
>
> Scan your logs for any outbound messages destined for any of these
> addresses.  Force a password reset for any reply to a phish.
> http://code.google.com/p/anti-phishing-email-reply/
>
> Find ways to make it easier for users to identify legitimate email, so
> that they can more easily identify suspicious email.  For instance, use
> digital signatures.
>
>
> > Detection
> > ---------
> > - Monitor queue lengths.
>
> yep, but it's already too late by that point.
>
>
> > - What else can be monitored?
>
> Look for changes to the users' personal webmail signatures.  The
> spammers like to put the content of their spam into the signatures.
>
> Identify suspect IPs (most are in Nigeria) and scan your logs for
> suspicious activity from those IPs.
>
>
> > Containment
> > -----------
> > - Do you allow students to use IMAP/POP/SMTP or are they required to
> > use a
> >   web interface (this can potentially reduce the scope of attacks)?
>
> Web is the most common vector, surprisingly.
>
>
> > - Do you throttle outbound email and if so, how do you accomplish this?
>
> We looked into this, but concluded that we would have to set the limit
> so high for normal usage that it wouldn't effectively thwart spammers.
>
>
> > - Do you scan outbound mail for spam?  If so, how do you deal with false
> >   positives?
>
> Rate-limit outbound spam instead of rejecting it.  We allow 50 outbound
> spam messages per hour per user before we reject.
>
>
> > - Any other containment measures?
> >
> > Cleanup
> > -------
> > - Cleanup will largely depend on the mail architecture used.
> > - Disable compromised account.
>
> Prevent the user from resetting to an old password.
>
>
> > - Clean out mail delivery queue
> > - Any other advice?
>
> After disabling the account, make sure there aren't any active webmail
> sessions open by the spammer.
>
> Jesse

--
  Jesse Thompson
  Division of Information Technology, University of Wisconsin-Madison
  Email/IM: jesse.thompson () doit wisc edu

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature