Re: Sustained spamming of single mailbox

["Kimmitt, Jonathan" <jonathan-kimmitt () UTULSA EDU>]

We have had this happen several times, usually it’s a faculty member, and we suspect it was caused by a disgruntled 
student….

At first, we tried doing the normal processes, but ended up each time giving a new mailbox, and taking the old alias 
and moving it to a mailbox, that was restricted to only allow mail from itself… That way the mailbox would ‘bounce 
back’ a message to all outside mail servers… after a few months, we would pull the restrictions and check how many were 
still hitting the mailbox….  Normally it dies down to a normal level and we could give back the alias to the faculty 
member….

Moving the alias gives you a lot of flexibility, but it’s a painful process of communicating to everyone the new 
email……  We mostly do it as a last resort, but is generally welcomed by the employee to stop the massive amounts of 
unwanted email….

-Jonathan


~
Jonathan Kimmitt
CISSP, FIP, CDPSE, CIPP/E, CIPM,
CIPT, GLEG, GPEN, GSNA, PCIP, CEH
Chief Information Security Officer
Information Technology
The University of Tulsa
918.631.2743



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Ken Connelly
Sent: Thursday, December 31, 2020 11:12 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Sustained spamming of single mailbox

A new account/address without any connection to the previous may be the only way to stem the tide. That's obviously a 
fairly drastic step but it may be what it takes.  Depending on the nature of the spam, a graylist type of filter may 
also provide some relief.

-ken
On 12/31/20 10:44 AM, Bole, Jim A wrote:
I’d appreciate any suggestions on how to mitigate or stop an unusual spam attack against a single mailbox.

We have one account that is being continually spammed with 1-1.5K spam emails a day for almost 10 days.

We’ve quarantined all inbound external email as a workaround.

The emails appear to be random spam including newsletters, shopping and in various languages. Sample subject lines:

С наступающим НОВЫМ 2021 годом - БЕЛОГО МЕТАЛЛИЧЕСКОГО БЫКА!!!
Your privacy is key 🔐
[SITREP] Survival Dispatch
The Morning Notes | Fiscal Spending and Bond Yields
End of Year Gown Promotion!
IndieWire Staff Picks Year's Best Films; Wild Box Office Path of 'The Exorcist'; 2020 Changes to Industry
Guess what’s back in stock?
A guide to your 2020 personal annual review
​[Achtung!] Ich analysiere dein Business persönlich
Kick-start 2021 with our top 5 Sales
Master your home life, from welding to gardening!

I have a hunch that someone intentionally targeted the user with some sort of dark web “spam as a service” The user 
isn’t aware of anyone who might be targeting him/her.

Any help or info greatly appreciated.

Jim Bole
Chief Information Security Officer
Information Technology Services
University at Albany, IT Building 102F, 1400 Washington Avenue, Albany, NY 12222





**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7Cb7127c6eccb84dfc8b7308d8adaf34ba%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637450315305766169%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ss9KgcjV2N6RtjXjrihezVBbwVGqH5%2BCL2pTbIsrVkA%3D&reserved=0>



--

- Ken

=================================================================

Ken Connelly                       Director, Information Security

Information Security Officer          University of Northern Iowa

email: Ken.Connelly () uni edu<mailto:Ken.Connelly () uni edu>   p: (319) 273-5850 f: (319) 273-3010



Any request to divulge your UNI password via e-mail is fraudulent!

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7Cb7127c6eccb84dfc8b7308d8adaf34ba%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637450315305766169%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ss9KgcjV2N6RtjXjrihezVBbwVGqH5%2BCL2pTbIsrVkA%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community