Educause Security Discussion mailing list archives
Re: Filtering outgoing email
From: Steve Bohrer <skbohrer () SIMONS-ROCK EDU>
Date: Sat, 19 Sep 2009 00:54:40 -0400
Hi Joe, I realize it's been a few months since your message to the security list, but I'd flagged it when I first read it, and just now got back to it. I'd love to see your bounce-counting script for detecting spamming accounts. Strikes me as a clever and elegant approach, and also seems easy to implement for a small school that doesn't have much in the way of monitoring. I'm actually the help desk at Simon's Rock, and am in the process of moving into network support, but I'll pass your script to our sysadmin. Thanks, Steve Bohrer ITS User Services, Bard College at Simon's Rock 413-528-7645 On Jun 23, 2009, at 10:46 AM, Joe Vieira wrote:
We do two things here. Both of which work VERY well, both are free and have been super reliable. the first of which is http://code.google.com/p/anti-phishing-email- reply/ the use of this. We loop outgoing mail thru another postfix instance to filter based off this project's list of phishing reply addresses. If you mail to a known phisher, your mail gets dropped. good protection. the second is a script that runs a looks for a high number of bounced messages, a sure sign that you're spamming. if you exceed the threshold your account gets locked and you can't send more mail. to stop the bleeding. We have only had one compromised account since we put the anti-phishing reply stuff in place, and it was caught and cleaned automatically less than an hour after it happened, we sent less than 1000 spam's which is pretty dang good. if anyone is interested in using either of these processes, I'm happy to share code / set up instructions. Joe Vieira Manager Systems Administration Clark University - ITS Gregg, Christopher S. wrote:We're using MailMarshal to watch for spikes in e-mail traffic, and we're moving forward with plans to filter outbound e-mail in general using the tool as well. The thinking is that it will add two additional checks against phishing schemes. One, it might catch the initial response to the phishing e-mail (because no amount of education seems to be able to stop all responses) and two, it should help stop or slow the use of the compromised account to send spam. Our testing has shown that we will catch a small amount of legitimate (human sent, non-spam) traffic each day with such a solution, but it does not appear to be critical business or academic related content. I think a couple of years ago our community would have been hesitant to filter outgoing mail, but with all of the phishing and being blacklisted by various providers over the last 12-24 months I think people will be OK now. Chris Chris Gregg Director of Information Technology Information Resources and Technologies University of St. Thomas 2115 Summit Avenue St. Paul, Minnesota 55105 csgregg () stthomas edu
Current thread:
- Re: Filtering outgoing email Steve Bohrer (Sep 18)