Re: Compromise Email Accounts

[Steven Tardy <sjt5 () ITS MSSTATE EDU>]

i had a "lightbulb" moment a few months ago.

most of the compromised logins are from ip's contained in the spamhaus sbl list.
1) check every login against the spamhaus sbl list.
2) reject email's with "X-Originating-IP" in the spamhaus sbl list.

ps: augment the spamhaus bl with your own bl after each compromised account.

steven tardy
network services
mississippi state university

Richard Miller wrote:
> I am curious how other universities deal with compromise email accounts used to
> send out spam.  Student email accounts will inevitably be compromised.  Even
> with the best efforts, it can happen.  To me the trick is to reduce the
> likelihood (and therefore frequency) and reduce the scope of the resulting
> problems.  In particular, I think efforts to combat this can be broken down
> into four major areas:
>
>
> Prevention
> ----------
> - User education - with thousands of new students each year, this is a big
>   challenge.  How do you accomplish it effectively?
> - An effective anti-spam solution is critical - if phishing messages are
>   getting through, it will increase likelihood of compromise.
> - Any other ways of preventing accounts from being compromised?
>
> Detection
> ---------
> - Monitor queue lengths.
> - What else can be monitored?
>
> Containment
> -----------
> - Do you allow students to use IMAP/POP/SMTP or are they required to use a
>   web interface (this can potentially reduce the scope of attacks)?
> - Do you throttle outbound email and if so, how do you accomplish this?
> - Do you scan outbound mail for spam?  If so, how do you deal with false
>   positives?
> - Any other containment measures?
>
> Cleanup
> -------
> - Cleanup will largely depend on the mail architecture used.
> - Disable compromised account.
> - Clean out mail delivery queue
> - Any other advice?
>
>
>
> Thank you for any advice you can offer.