Educause Security Discussion mailing list archives
Re: Compromise Email Accounts
From: Jeremy Mooney <j-mooney () BETHEL EDU>
Date: Tue, 3 Feb 2009 16:59:37 -0600
Steven Tardy wrote on 2/3/09 14:10 :
i had a "lightbulb" moment a few months ago. most of the compromised logins are from ip's contained in the spamhaus sbl list. 1) check every login against the spamhaus sbl list.
I'm curious if there was any fallout from traveling users, especially those in other countries. We've had many legitimate logins from users traveling in specific areas of the world come from the same IP blocks/ISPs used to access compromised accounts. I haven't specifically looked for sbl listings, but when analyzing some compromises had problems expanding the search scope (IIRC even to the /24 level) to find possibly related activity (too much noise from legitimate traffic). I'm concerned that this approach may either be ineffective or have many false positives.
2) reject email's with "X-Originating-IP" in the spamhaus sbl list.
Do you mean this header as inserted by your local webmail system or your edge system, or are you filtering incoming SMTP messages based on where it originated before the sending SMTP server? -- Jeremy Mooney ITS - Bethel University
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Re: Compromise Email Accounts, (continued)
- Re: Compromise Email Accounts Roger Safian (Jan 21)
- Re: Compromise Email Accounts Mike Porter (Jan 21)
- Re: Compromise Email Accounts Schumacher, Adam J (Jan 21)
- Re: Compromise Email Accounts Jesse Thompson (Jan 21)
- Re: Compromise Email Accounts Russell Fulton (Jan 29)
- Re: Compromise Email Accounts Sabo, Eric (Jan 29)
- Re: Compromise Email Accounts Joe Vieira (Jan 30)
- Re: Compromise Email Accounts Russell Fulton (Feb 02)
- Re: Compromise Email Accounts Daniel Bennett (Feb 03)
- Re: Compromise Email Accounts Steven Tardy (Feb 03)
- Re: Compromise Email Accounts Jeremy Mooney (Feb 03)
- Re: Compromise Email Accounts Steven Tardy (Feb 03)
- Re: Compromise Email Accounts Jeremy Mooney (Feb 04)
- Re: Compromise Email Accounts Kellogg, Brian D. (Feb 04)