Educause Security Discussion mailing list archives

Re: Compromise Email Accounts

From: Jeremy Mooney <j-mooney () BETHEL EDU>
Date: Wed, 4 Feb 2009 15:04:02 -0600

Steven Tardy wrote on 2/3/09 17:46 :

Jeremy Mooney wrote:

Steven Tardy wrote on 2/3/09 14:10 :

i had a "lightbulb" moment a few months ago.

most of the compromised logins are from ip's contained in the spamhaus sbl list.
1) check every login against the spamhaus sbl list.

I'm curious if there was any fallout from traveling users, especially
those in other countries. We've had many legitimate logins from users
traveling in specific areas of the world come from the same IP
blocks/ISPs used to access compromised accounts.  I haven't specifically
looked for sbl listings, but when analyzing some compromises had
problems expanding the search scope (IIRC even to the /24 level) to find
possibly related activity (too much noise from legitimate traffic). I'm
concerned that this approach may either be ineffective or have many
false positives.


we've had 0 false positives using this method.
the spamhaus sbl is the "spammer" list.
the spamhaus pbl is the "policy" list(which includes dial-up/dynamic pools).
the spamhaus sbl does NOT include the spamhaus pbl.


Yea, I see the difference and definitely wouldn't want to do this with
pbl/xbl/zen.  I'm still kinda cautious about the idea that an IP sending
spam using direct SMTP (what sbl lists) should be blocked for other
services (including mail through other protocols even if they have a
valid credential).

i mentioned this for others to detect compromises sooner, at login, before spam are sent.
if all you do is warn based on this, it's a step in the right direction.
knowing is half the battle. (:


Interesting.  I've added code to our system to log for now (for later
analysis and decision), as preliminary checks show that we do have users
with home IPs listed on sbl.  My guess is their machine (or one they
share a DHCP pool or NAT/PAT with) is a zombie on one of the spam
networks.  If someone is stuck on a corporate network for example
NAT/PATed with several hundred other machines including one sending
spam, I don't know that I could support the decision to block them
legitimately using our webmail from their work (which is often their
only source of Internet access and is legitimate use of that access for
those whose schooling is sponsored by their employer).

--
Jeremy Mooney
ITS - Bethel University

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Current thread:

Re: Compromise Email Accounts, (continued)
- Re: Compromise Email Accounts Schumacher, Adam J (Jan 21)
- Re: Compromise Email Accounts Jesse Thompson (Jan 21)
- Re: Compromise Email Accounts Russell Fulton (Jan 29)
- Re: Compromise Email Accounts Sabo, Eric (Jan 29)
- Re: Compromise Email Accounts Joe Vieira (Jan 30)
- Re: Compromise Email Accounts Russell Fulton (Feb 02)
- Re: Compromise Email Accounts Daniel Bennett (Feb 03)
- Re: Compromise Email Accounts Steven Tardy (Feb 03)
- Re: Compromise Email Accounts Jeremy Mooney (Feb 03)
- Re: Compromise Email Accounts Steven Tardy (Feb 03)
- Re: Compromise Email Accounts Jeremy Mooney (Feb 04)
- Re: Compromise Email Accounts Kellogg, Brian D. (Feb 04)