Re: Filtering outgoing email

["Irish, Adrian L" <Adrian.Irish () MSO UMT EDU>]

We're also filtering using this list, but for the outgoing filter, we quarantine the messages and I verify each and 
every one of them.  When I see messages in which the person gave up their credentials, they get some "one on one" 
training from my office.

One word of caution about using this list.  Legitimate e-mail addresses do wind up on this list (not just hotmail or 
live.com addresses).  We recently had an incident in which an nih.gov address ended up on the list.  I detected the 
issue when one of our research faculty's messages to that person started showing up in the quarantine.  I was able to 
talk to the person at NIH and verify that their account had been secured, and we then removed the address from the 
list, but if we had not been quarantining and checking the messages, it would have taken much longer to detect that 
problem (and we would have ended up with a very angry faculty member).

Adrian Irish
IT Security Officer
The University of Montana
SS 126D
Missoula, MT 59812
(406) 243-6375
 
adrian.irish () umontana edu


> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joe Vieira
> Sent: Tuesday, June 23, 2009 10:04 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Filtering outgoing email
>
> We've had good luck with it. Anytime we see a address that isn't in the
> list we add it and so do tons of other folks.
>
> It really does't do anything to slow our mail down... just a big ol'
> postfix map. postfix is super fast. antivirus scanning is the limiting
> factor in mail delivery usually.
>
> If you environment is already at capacity then you might have issues,
> but other than that i doubt you would see any issues.
>
> Joe
>
> Roger Safian wrote:
> > At 09:46 AM 6/23/2009, Joe Vieira put fingers to keyboard and wrote:
> >
> > > the first of which is
> > > http://code.google.com/p/anti-phishing-email-reply/ the use of this.
> We
> > > loop outgoing mail thru another postfix instance to filter based off
> > > this project's list of phishing reply addresses. If you mail to a
> known
> > > phisher, your mail gets dropped. good protection.
> >
> > Any idea what the impact of using this has on the timeliness of mail
> > delivery?  With phishers being able to choose almost any return
> address,
> > this seems like a galactic scale game of whack a moll.  ;-)  I worry
> > that our servers couldn't handle the additional load.