Re: Filtering outgoing email

["HALL, NATHANIEL D." <halln () OTC EDU>]

We are using a personal project that I started that is similar to the "anti-phishing-email-reply" project on Google.  
It is down right now, but has helped quite a bit in the past.

We are also using Nagios to monitor the outbound queue to see how many messages are waiting to be delivered.  When this 
number gets over 250 or so messages in the queue then typically there is either a server problem on our end or we 
spamming others.

--
Nathaniel Hall, GSEC GCFW GCIA GCIH GCFA
Network Security System Administrator
OTC Computer Networking

Office: (417) 447-7535

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joe 
Vieira
Sent: Tuesday, June 23, 2009 9:47 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Filtering outgoing email

We do two things here.

Both of which work VERY well, both are free and have been super reliable.

the first of which is 
http://code.google.com/p/anti-phishing-email-reply/ the use of this. We 
loop outgoing mail thru another postfix instance to filter based off 
this project's list of phishing reply addresses. If you mail to a known 
phisher, your mail gets dropped. good protection.

the second is a script that runs a looks for a high number of bounced 
messages, a sure sign that you're spamming. if you exceed the threshold 
your account gets locked and you can't send more mail. to stop the 
bleeding. We have only had one compromised account since we put the 
anti-phishing reply stuff in place, and it was caught and cleaned 
automatically less than an hour after it happened, we sent less than 
1000 spam's which is pretty dang good.

if anyone is interested in using either of these processes, I'm happy to 
share code / set up instructions.

Joe Vieira
Manager Systems Administration
Clark University - ITS

Gregg, Christopher S. wrote:
> We're using MailMarshal to watch for spikes in e-mail traffic, and we're moving forward with plans to filter outbound 
> e-mail in general using the tool as well.  The thinking is that it will add two additional checks against phishing 
> schemes.  One, it might catch the initial response to the phishing e-mail (because no amount of education seems to be 
> able to stop all responses) and two, it should help stop or slow the use of the compromised account to send spam.  
> Our testing has shown that we will catch a small amount of legitimate (human sent, non-spam) traffic each day with 
> such a solution, but it does not appear to be critical business or academic related content.
>
> I think a couple of years ago our community would have been hesitant to filter outgoing mail, but with all of the 
> phishing and being blacklisted by various providers over the last 12-24 months I think people will be OK now.
>
> Chris
>
> Chris Gregg
> Director of Information Technology
> Information Resources and Technologies
> University of St. Thomas
> 2115 Summit Avenue
> St. Paul, Minnesota 55105
> csgregg () stthomas edu
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
> Kellogg, Brian D.
> Sent: Tuesday, June 23, 2009 7:01 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Filtering outgoing email
>
> We've been the victim of a phishing scam that made it through our incoming spam filter.  The phisher used the 
> compromised accounts to send spam via Outlook Web Access.  Just wondering what inexpensive/reliable methods others 
> are using to filter outbound email and catch any accounts showing a huge volume of outbound spam.  Thanks...
>
>  
>  
> Thank you,
>  
> Brian Kellogg
> Network Services Manager
> St. Bonaventure University
> 716-375-4092
>  
>