Re: Compromise Email Accounts

[Jesse Thompson <jesse.thompson () DOIT WISC EDU>]

Roger Safian wrote:
> At 11:05 AM 1/21/2009, Zach Jansen put fingers to keyboard and wrote:
> > > Prevention
> > > ----------
> > You might consider automated methods for dropping/blocking email from anyone who
> > sends more than a few hundred messages at a time.
>
> We have been working with this idea for a month or so.  I had high hopes, but, they
> have been totally dashed.  We still use the work, right now if anyone sends more than
> 100 messages in any hour long window, we get notified with the from address, subject,
> and a statistical breakdown of the domains being sent to.

Yep, I made a similar report and we also find it to be useless
information.  Rate-limiting by itself doesn't work, and rejecting
outbound spam by itself doesn't work.  However, a hybrid between the two
works wonderfully.

If you do implement this kind of strategy, you'll blind your ability to
detect compromised accounts if you're depending solely on large mail
queues to detect the incident.  You'll have to learn to look for
alternate indicators.

Jesse



> For the most part, these show legitimate traffic.  Sharing of research data, departmental
> announcements, etc.  They do also pull those who fall for the phishing, and it's not
> that difficult to separate that legitimate mail from the bogus, so we continue to
> use it.  I don't think it would be safe to automate this check, based solely on the
> number of messages being sent.

--
  Jesse Thompson
  Division of Information Technology, University of Wisconsin-Madison
  Email/IM: jesse.thompson () doit wisc edu

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature