Educause Security Discussion mailing list archives
Re: Compromise Email Accounts
From: "Schumacher, Adam J" <ADAMSCHUMACHER () CREIGHTON EDU>
Date: Wed, 21 Jan 2009 14:02:13 -0600
On 1/21/09 8:59 AM, "Richard Miller" <miller () KUTZTOWN EDU> wrote:
I am curious how other universities deal with compromise email accounts used to send out spam. Student email accounts will inevitably be compromised. Even with the best efforts, it can happen. To me the trick is to reduce the likelihood (and therefore frequency) and reduce the scope of the resulting problems. In particular, I think efforts to combat this can be broken down into four major areas: Prevention ---------- - User education - with thousands of new students each year, this is a big challenge. How do you accomplish it effectively? - An effective anti-spam solution is critical - if phishing messages are getting through, it will increase likelihood of compromise. - Any other ways of preventing accounts from being compromised?
Requiring strong passwords and having an effective lock out policy helps prevent brute force or password guessing. Most of our compromises come from a student or staff responding to phishing emails. We've seen a number of spear-phishing attacks, and those have been the most successful as they are more likely to get around spam filters and trick users. We have tried to spread awareness by putting alerts on the web: the main university web pages, as well as web applications that the students frequently access like our CMS. We also started putting reminders in the signatures of or emails. One of the student orgs on campus put on a "security scare" event back in October, which IT participated in and plugged anti-phishing info at. I'd like to do more, but its just me and my boss so the whole "education" piece often falls between the cracks when you are too busy putting out fires. Other (technically) simple things that can help involve not allowing incoming mail from your domain, and not allowing outgoing mail NOT from your domain. (two things we have yet to implement, but I have high hopes)
Detection --------- - Monitor queue lengths. - What else can be monitored?
At this point we usually notice a problem when the queues get too big. We are struggling with finding a better option... If anyone else has some good suggestions, feel free to share!
Containment ----------- - Do you allow students to use IMAP/POP/SMTP or are they required to use a web interface (this can potentially reduce the scope of attacks)? - Do you throttle outbound email and if so, how do you accomplish this? - Do you scan outbound mail for spam? If so, how do you deal with false positives? - Any other containment measures?
We have postini scanning both inbound, and as of a few months ago, outbound mail. Its pretty good at catching most inbound stuff, but nothing is perfect. Outbound, it doesn't seem to be doing much of anything in terms of filtering at this point, but the service is still new. Once we have identified a compromised account we disable the user's account and mailbox.
Cleanup ------- - Cleanup will largely depend on the mail architecture used. - Disable compromised account. - Clean out mail delivery queue - Any other advice?
Clean out the mail queue and anything (usually NDRs) from the compromised account. We've been finding that the spammers will put a rule in place to send all incoming mail directly to the trash; probably an attempt to prevent from the user reaching his/her mail quota from NDRs...
Thank you for any advice you can offer.
sha1( Adam Schumacher Information Security Engineer Creighton University Don't share your password with ANYONE, EVER. This means YOU! 402-280-2383 402-672-1732 ) = 1a72637cf94189654ab1a827520a5e41738f41b0
Attachment:
smime.p7s
Description:
Current thread:
- Compromise Email Accounts Richard Miller (Jan 21)
- <Possible follow-ups>
- Re: Compromise Email Accounts Mike Iglesias (Jan 21)
- Re: Compromise Email Accounts Jesse Thompson (Jan 21)
- Re: Compromise Email Accounts Jesse Thompson (Jan 21)
- Re: Compromise Email Accounts Zach Jansen (Jan 21)
- Re: Compromise Email Accounts Roger Safian (Jan 21)
- Re: Compromise Email Accounts Mike Porter (Jan 21)
- Re: Compromise Email Accounts Schumacher, Adam J (Jan 21)
- Re: Compromise Email Accounts Jesse Thompson (Jan 21)
- Re: Compromise Email Accounts Russell Fulton (Jan 29)
- Re: Compromise Email Accounts Sabo, Eric (Jan 29)
- Re: Compromise Email Accounts Joe Vieira (Jan 30)
- Re: Compromise Email Accounts Russell Fulton (Feb 02)
- Re: Compromise Email Accounts Daniel Bennett (Feb 03)
- Re: Compromise Email Accounts Steven Tardy (Feb 03)
- Re: Compromise Email Accounts Jeremy Mooney (Feb 03)
- Re: Compromise Email Accounts Steven Tardy (Feb 03)
- Re: Compromise Email Accounts Jeremy Mooney (Feb 04)
(Thread continues...)