Re: Phishing, compromised account and SPAM

[Eric Schewe <Eric.Schewe () VIU CA>]

We have an Anti-spam Gateway at the edge of our network running Sophos Puremessage.

Any inbound e-mail it scanned and blocked/quarantined. Sometimes spam/phishing e-mails still make it through and we ran 
into the exact same problem you're having.

To combat it we configured all outbound e-mail to also be routed through the Anti-spam Gateway.

Any e-mail leaving our campus is automatically blocked if Puremessage things it's spam. There is a script that watches 
for a significant volume of outbound e-mail being quarantined in a 30 minute period of time and notifies us to take 
action (usually disabling the account and killing open sessions on Exchange for the account).

We have an internal policy where we will whitelist outbound e-mail coming from generic mailboxes if users complain 
enough about their outbound mail being blocked. Users do not have credentials to login to generic mailboxes. They are 
provided access via security groups in Active Directory and Mailbox permissions. We will not whitelist individual 
accounts.

Any messages accidently caught that are legitimate are released manually via out Help Desk. We see less than 1%/day of 
outbound e-mail being accidently classified as spam.

Sadly since implementing this solution (4 months ago) no one has fallen for a phishing e-mail so I can't comment on how 
well this would work if an account were compromised.

On paper it should work.

-Eric


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Rob 
Tanner
Sent: 2014-04-02 13:20
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Phishing, compromised account and SPAM

Hi,

We are seeing an increase in phishing expeditions as well as a more significant increase in those who fall for them and 
give their password away.  We've tried everything we can think of to educate faculty and staff to the fact that ITS 
never, ever asked them to revalidate their account by entering their username and password.  But it still continues to 
happen and it looks like what folks are after is an account they can send SPAM through.  If it's in the middle of a 
week-day we catch it pretty early , but evenings and especially week-ends, thousands of email messages with between 40 
and 50 recipients each are sent out before we can kill it.  So, we are constantly getting on blacklists.

I can't imagine that Linfield College is alone in this situation.  What are others doing to mitigate the consequences 
or better yet, prevent from occurring in the first place.

Thanks.


Rob Tanner
UNIX Services Manager
Linfield College, McMinnville Oregon

ITS will never ask you for your password.  Please don't share yours with anyone!