Re: Compromised accounts at other institutes

[Bob Bayn <bob.bayn () USU EDU>]

Thanks for the info, Joe.

Joe St Sauver [joe () oregon uoregon edu] wrote:
> Hi,

> Bob Bayn <bob.bayn () usu edu> commented:

#I try to send direct notification to the "abuse" and "helpdesk"
#address at any .edu, .k12, .org or health organization that is
#spamming us with phish.

> dot org is probably pretty generic these days. On the other hand,
> dot gov, dot mil, and dot int are probably worth adding to your
> "give it a shot" list, likewise the international equivalents of
> dot edu (such as dot ac dot uk)

Good points, and I do have a bigger give it a shot list than I mentioned.  The dot org hosts include a lot of K12, 
municipal governments and such that don't like the length and structure of their "default" TLDs.  And I generally do 
try to notify the dot ac dot uk/au/nz folks, too.   I have tried using google translate to help me with Portuguese and 
Spanish sites.  And, strangely we regularly get phish in Hungarian and I have a co-worker two spent two years 
proselytizing in that area and he helps me to both recognize the phish and to send notifications there.  But when it 
comes to hosts that use other character sets I just wish them good luck and move on.

#If they both bounce, I will generally
#search the site to find another technical contact address or
#contact form.  (Do YOU have those default reporting addresses?)

> abuse@ is normative, but helpdesk@ isn't. See
> https://www.ietf.org/rfc/rfc2142.txt at section 4

That may be true, but I get more bounces from abuse@ than helpdesk@, at least for certain categories of sites.

> I'd also note that http://abuse.net/ can be tremendously helpful
> when it comes to tracking down usable abuse reporting addresses.

I'll remember that, thanks!

#The phish links that we take action against are all reported on
#a public google docs spreadsheet at: [link redacted here]

I should have written "recorded" rather than "reported" - I don't expect that listing to constitute a report to anyone 
else, even though it is available when I share the link with peers (and with a few of the web form site abuse staff).

> Huge fan of http://www.phishtank.com/ for reporting phish

I use that for reporting the occasional commercial phish (fake paypal sites and such) and even some .edu spear phish.  
But it is a little too tedious for the bulk of the phish messages I process.

> Regards, and hope everyone has a nice weekend,
>
> Joe

Finals start Monday here and I hope it is our last spring snow storm out the window now.  Time to get on the bike and 
head home.

Bob