Re: Compromise Email Accounts

["Schumacher, Adam J" <ADAMSCHUMACHER () CREIGHTON EDU>]

On 1/21/09 8:59 AM, "Richard Miller" <miller () KUTZTOWN EDU> wrote:

> I am curious how other universities deal with compromise email accounts used
> to
> send out spam.  Student email accounts will inevitably be compromised.  Even
> with the best efforts, it can happen.  To me the trick is to reduce the
> likelihood (and therefore frequency) and reduce the scope of the resulting
> problems.  In particular, I think efforts to combat this can be broken down
> into four major areas:
>
>
> Prevention
> ----------
> - User education - with thousands of new students each year, this is a big
>   challenge.  How do you accomplish it effectively?
> - An effective anti-spam solution is critical - if phishing messages are
>   getting through, it will increase likelihood of compromise.
> - Any other ways of preventing accounts from being compromised?
Requiring strong passwords and having an effective lock out policy helps
prevent brute force or password guessing. Most of our compromises come from
a student or staff responding to phishing emails.  We've seen a number of
spear-phishing attacks, and those have been the most successful as they are
more likely to get around spam filters and trick users.

We have tried to spread awareness by putting alerts on the web: the main
university web pages, as well as web applications that the students
frequently access like our CMS.  We also started putting reminders in the
signatures of or emails.  One of the student orgs on campus put on a
"security scare" event back in October, which IT participated in and plugged
anti-phishing info at.

I'd like to do more, but its just me and my boss so the whole "education"
piece often falls between the cracks when you are too busy putting out
fires.

Other (technically) simple things that can help involve not allowing
incoming mail from your domain, and not allowing outgoing mail NOT from your
domain.  (two things we have yet to implement, but I have high hopes)

> Detection
> ---------
> - Monitor queue lengths.
> - What else can be monitored?
At this point we usually notice a problem when the queues get too big.  We
are struggling with finding a better option...  If anyone else has some good
suggestions, feel free to share!

> Containment
> -----------
> - Do you allow students to use IMAP/POP/SMTP or are they required to use a
>   web interface (this can potentially reduce the scope of attacks)?
> - Do you throttle outbound email and if so, how do you accomplish this?
> - Do you scan outbound mail for spam?  If so, how do you deal with false
>   positives?
> - Any other containment measures?
We have postini scanning both inbound, and as of a few months ago, outbound
mail.  Its pretty good at catching most inbound stuff, but nothing is
perfect.  Outbound, it doesn't seem to be doing much of anything in terms of
filtering at this point, but the service is still new.

Once we have identified a compromised account we disable the user's account
and mailbox.

> Cleanup
> -------
> - Cleanup will largely depend on the mail architecture used.
> - Disable compromised account.
> - Clean out mail delivery queue
> - Any other advice?
Clean out the mail queue and anything (usually NDRs) from the compromised
account.  We've been finding that the spammers will put a rule in place to
send all incoming mail directly to the trash; probably an attempt to prevent
from the user reaching his/her mail quota from NDRs...
> Thank you for any advice you can offer.

sha1(

Adam Schumacher
Information Security Engineer
Creighton University

Don't share your password with ANYONE, EVER.  This means YOU!

402-280-2383
402-672-1732

)

= 1a72637cf94189654ab1a827520a5e41738f41b0

Attachment: smime.p7s
Description: