Re: Compromise Email Accounts

[Jeremy Mooney <j-mooney () BETHEL EDU>]

Steven Tardy wrote on 2/3/09 14:10 :
> i had a "lightbulb" moment a few months ago.
>
> most of the compromised logins are from ip's contained in the spamhaus sbl list.
> 1) check every login against the spamhaus sbl list.

I'm curious if there was any fallout from traveling users, especially
those in other countries. We've had many legitimate logins from users
traveling in specific areas of the world come from the same IP
blocks/ISPs used to access compromised accounts.  I haven't specifically
looked for sbl listings, but when analyzing some compromises had
problems expanding the search scope (IIRC even to the /24 level) to find
possibly related activity (too much noise from legitimate traffic). I'm
concerned that this approach may either be ineffective or have many
false positives.

> 2) reject email's with "X-Originating-IP" in the spamhaus sbl list.

Do you mean this header as inserted by your local webmail system or your
edge system, or are you filtering incoming SMTP messages based on where
it originated before the sending SMTP server?

--
Jeremy Mooney
ITS - Bethel University

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature