Educause Security Discussion mailing list archives
Re: Compromise Email Accounts
From: Jesse Thompson <jesse.thompson () DOIT WISC EDU>
Date: Wed, 21 Jan 2009 15:41:54 -0600
Roger Safian wrote:
At 11:05 AM 1/21/2009, Zach Jansen put fingers to keyboard and wrote:Prevention ----------You might consider automated methods for dropping/blocking email from anyone who sends more than a few hundred messages at a time.We have been working with this idea for a month or so. I had high hopes, but, they have been totally dashed. We still use the work, right now if anyone sends more than 100 messages in any hour long window, we get notified with the from address, subject, and a statistical breakdown of the domains being sent to.
Yep, I made a similar report and we also find it to be useless information. Rate-limiting by itself doesn't work, and rejecting outbound spam by itself doesn't work. However, a hybrid between the two works wonderfully. If you do implement this kind of strategy, you'll blind your ability to detect compromised accounts if you're depending solely on large mail queues to detect the incident. You'll have to learn to look for alternate indicators. Jesse
For the most part, these show legitimate traffic. Sharing of research data, departmental announcements, etc. They do also pull those who fall for the phishing, and it's not that difficult to separate that legitimate mail from the bogus, so we continue to use it. I don't think it would be safe to automate this check, based solely on the number of messages being sent.
-- Jesse Thompson Division of Information Technology, University of Wisconsin-Madison Email/IM: jesse.thompson () doit wisc edu
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Compromise Email Accounts Richard Miller (Jan 21)
- <Possible follow-ups>
- Re: Compromise Email Accounts Mike Iglesias (Jan 21)
- Re: Compromise Email Accounts Jesse Thompson (Jan 21)
- Re: Compromise Email Accounts Jesse Thompson (Jan 21)
- Re: Compromise Email Accounts Zach Jansen (Jan 21)
- Re: Compromise Email Accounts Roger Safian (Jan 21)
- Re: Compromise Email Accounts Mike Porter (Jan 21)
- Re: Compromise Email Accounts Schumacher, Adam J (Jan 21)
- Re: Compromise Email Accounts Jesse Thompson (Jan 21)
- Re: Compromise Email Accounts Russell Fulton (Jan 29)
- Re: Compromise Email Accounts Sabo, Eric (Jan 29)
- Re: Compromise Email Accounts Joe Vieira (Jan 30)
- Re: Compromise Email Accounts Russell Fulton (Feb 02)
- Re: Compromise Email Accounts Daniel Bennett (Feb 03)
- Re: Compromise Email Accounts Steven Tardy (Feb 03)
- Re: Compromise Email Accounts Jeremy Mooney (Feb 03)
- Re: Compromise Email Accounts Steven Tardy (Feb 03)
- Re: Compromise Email Accounts Jeremy Mooney (Feb 04)
- Re: Compromise Email Accounts Kellogg, Brian D. (Feb 04)