Re: Phishing E-mail Uptick???

[Jesse Thompson <jesse.thompson () DOIT WISC EDU>]

On 10/22/11 10:08 PM, Gibson, Nathan J. (HSC) wrote:
> Is any other campus just getting slammed with phishing e-mails?
> Specifically e-mails that say: “You have exceeded the size of your
> mailbox please login _here _to request a size increase”.__
>
> __
>
> Then once the user gives their credentials away the attackers connect
> through outlook web access and sends out 10’s of thousands of e-mails
> with that user’s account causing all my smtp servers to get blacklisted.
>
> I know this happens and we see it occasionally, but the last week has
> been insane. It’s just been wave after wave. Just wondering if any other
> campus has seen an uptick in this attack as of late?

We had a similar phish slip through last week, and several users gave up 
their credentials, which were then used to send outbound spam.  This was 
after a relatively quiet period where the phishers either weren't 
targeting us very much, or our anti-spam scanners were catching most of 
the attacks.  It's hard to tell for sure.  Regardless, I personally 
don't see this as an abnormal trend as you suggest.

I think that these guys cycle through potential targets and they see 
your domain as just another mine to vein.  If they "see gold in them 
thar hills"... well you know the rest. :-)  So, if they keep coming back 
to you, then it might be because they see your domain as an easy target. 
 Given that assumption, then you should try to make it clear to them 
that attacking your domain isn't worth their efforts.  Rate-limiting 
outbound spam, as you suggest, is a good strategy.


> Also, if you wouldn’t mind, could you share with me the products and/or
> methods you use to “rate limit” user outbound e-mails.
> Meaning……jdoe () somecollege edu can only send out 100 e-mails per hour.

We use the built in "metermaid" capability of our email server (Oracle 
(formerly Sun) Messaging Server) to rate limit outbound spam.

The core of our strategy is to limit any user to sending only 1000 
spam-rated messages per hour sent to non-local recipients.  This seems 
to be enough of a deterrent without interfering with the legitimate use 
of our system.  We have other safe-guards as well, but that one is what 
the phishers always trip on.

Jesse Thompson
Wisconsin-Madison

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature