Educause Security Discussion mailing list archives
Re: Phishing, compromised account and SPAM
From: Eric Schewe <Eric.Schewe () VIU CA>
Date: Wed, 2 Apr 2014 20:45:40 +0000
We have an Anti-spam Gateway at the edge of our network running Sophos Puremessage. Any inbound e-mail it scanned and blocked/quarantined. Sometimes spam/phishing e-mails still make it through and we ran into the exact same problem you're having. To combat it we configured all outbound e-mail to also be routed through the Anti-spam Gateway. Any e-mail leaving our campus is automatically blocked if Puremessage things it's spam. There is a script that watches for a significant volume of outbound e-mail being quarantined in a 30 minute period of time and notifies us to take action (usually disabling the account and killing open sessions on Exchange for the account). We have an internal policy where we will whitelist outbound e-mail coming from generic mailboxes if users complain enough about their outbound mail being blocked. Users do not have credentials to login to generic mailboxes. They are provided access via security groups in Active Directory and Mailbox permissions. We will not whitelist individual accounts. Any messages accidently caught that are legitimate are released manually via out Help Desk. We see less than 1%/day of outbound e-mail being accidently classified as spam. Sadly since implementing this solution (4 months ago) no one has fallen for a phishing e-mail so I can't comment on how well this would work if an account were compromised. On paper it should work. -Eric From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Rob Tanner Sent: 2014-04-02 13:20 To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Phishing, compromised account and SPAM Hi, We are seeing an increase in phishing expeditions as well as a more significant increase in those who fall for them and give their password away. We've tried everything we can think of to educate faculty and staff to the fact that ITS never, ever asked them to revalidate their account by entering their username and password. But it still continues to happen and it looks like what folks are after is an account they can send SPAM through. If it's in the middle of a week-day we catch it pretty early , but evenings and especially week-ends, thousands of email messages with between 40 and 50 recipients each are sent out before we can kill it. So, we are constantly getting on blacklists. I can't imagine that Linfield College is alone in this situation. What are others doing to mitigate the consequences or better yet, prevent from occurring in the first place. Thanks. Rob Tanner UNIX Services Manager Linfield College, McMinnville Oregon ITS will never ask you for your password. Please don't share yours with anyone!
Current thread:
- Phishing, compromised account and SPAM Rob Tanner (Apr 02)
- Re: Phishing, compromised account and SPAM Banks, Teresa E - (tbanks) (Apr 02)
- Re: Phishing, compromised account and SPAM Mally Mclane (Apr 02)
- Re: Phishing, compromised account and SPAM JR Ramirez (Apr 02)
- Re: Phishing, compromised account and SPAM Kevin Wilcox (Apr 03)
- Re: Phishing, compromised account and SPAM Mally Mclane (Apr 02)
- Re: Phishing, compromised account and SPAM Banks, Teresa E - (tbanks) (Apr 02)
- Re: Phishing, compromised account and SPAM Roger A Safian (Apr 02)
- Re: Phishing, compromised account and SPAM Pollock, Joseph (Apr 02)
- Re: Phishing, compromised account and SPAM Eric Schewe (Apr 02)
- Re: Phishing, compromised account and SPAM JR Ramirez (Apr 02)
- Re: Phishing, compromised account and SPAM Roger A Safian (Apr 02)
- Re: Phishing, compromised account and SPAM JR Ramirez (Apr 02)
- Re: Phishing, compromised account and SPAM Roger A Safian (Apr 02)
- Re: Phishing, compromised account and SPAM JR Ramirez (Apr 02)
- Re: Phishing, compromised account and SPAM Jones, Mark B (Apr 02)
- Re: Phishing, compromised account and SPAM Roger A Safian (Apr 02)
- Re: Phishing, compromised account and SPAM Frahm, Eric J Jr. (Apr 02)
- <Possible follow-ups>
- Re: Phishing, compromised account and SPAM Joseph Tam (Apr 03)
- Re: Phishing, compromised account and SPAM Bob Bayn (Apr 03)
- Re: Phishing, compromised account and SPAM Pete Hickey (Apr 03)