Re: Compromise Email Accounts

[Roger Safian <r-safian () NORTHWESTERN EDU>]

At 11:05 AM 1/21/2009, Zach Jansen put fingers to keyboard and wrote:
> > Prevention
> > ----------
> You might consider automated methods for dropping/blocking email from anyone who
> sends more than a few hundred messages at a time.

We have been working with this idea for a month or so.  I had high hopes, but, they
have been totally dashed.  We still use the work, right now if anyone sends more than
100 messages in any hour long window, we get notified with the from address, subject,
and a statistical breakdown of the domains being sent to.

For the most part, these show legitimate traffic.  Sharing of research data, departmental
announcements, etc.  They do also pull those who fall for the phishing, and it's not
that difficult to separate that legitimate mail from the bogus, so we continue to
use it.  I don't think it would be safe to automate this check, based solely on the
number of messages being sent.


--
Roger A. Safian
r-safian () northwestern edu (email) public key available on many key servers.
(847) 491-4058   (voice)
(847) 467-6500   (Fax) "You're never too old to have a great childhood!"