Educause Security Discussion mailing list archives
Re: Phishing, compromised account and SPAM
From: "Pollock, Joseph" <PollockJ () EVERGREEN EDU>
Date: Wed, 2 Apr 2014 23:36:17 +0000
Very similar on our end. Many spams are caught by our Ironport, and nearly 90% of inbound traffic is blocked based on sender reputation. Outbound mail rates are limited, and obvious spams are quarantined as well. When we identify a compromised account, we disable it until the user can be contacted and educated. Interestingly, we have been seeing "slow sending", where the outgoing mail is limited to perhaps 50/hour, and these do not trigger our rate limits. Familiarity with user sending patterns is a help here. When a phishing message is identified, and has been sent to a large number of users, we block the hosting site of the link in our local DNS if possible. This does not, of course, help users who forward their mail off-campus. This has on a few occasions caused some problems when the hosting site is also used by legitimate users. Joe Pollock Network Services The Evergreen State College From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Roger A Safian Sent: Wednesday, April 02, 2014 1:44 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Phishing, compromised account and SPAM We run our outbound mail through Symantec, which helps reduce the spam from compromised accounts...sometimes. If a message arrives with a URL from a web hosting site, and it has certain key words, we prepend a warning about phishing to the message body. We also block the URL's of identified phishing sites. The thing that really helps is we automatically monitor our outbound mail. When a user sends messages that exceed certain criteria, we get notified. We still have the occasional spam run that goes on, but, we usually have the user suspended within an hour. FWIW, we have relatively low numbers of victims say 10-20 a month. A targeted phish, might push those numbers up. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Rob Tanner Sent: Wednesday, April 2, 2014 3:20 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Phishing, compromised account and SPAM Hi, We are seeing an increase in phishing expeditions as well as a more significant increase in those who fall for them and give their password away. We've tried everything we can think of to educate faculty and staff to the fact that ITS never, ever asked them to revalidate their account by entering their username and password. But it still continues to happen and it looks like what folks are after is an account they can send SPAM through. If it's in the middle of a week-day we catch it pretty early , but evenings and especially week-ends, thousands of email messages with between 40 and 50 recipients each are sent out before we can kill it. So, we are constantly getting on blacklists. I can't imagine that Linfield College is alone in this situation. What are others doing to mitigate the consequences or better yet, prevent from occurring in the first place. Thanks. Rob Tanner UNIX Services Manager Linfield College, McMinnville Oregon ITS will never ask you for your password. Please don't share yours with anyone!
Current thread:
- Phishing, compromised account and SPAM Rob Tanner (Apr 02)
- Re: Phishing, compromised account and SPAM Banks, Teresa E - (tbanks) (Apr 02)
- Re: Phishing, compromised account and SPAM Mally Mclane (Apr 02)
- Re: Phishing, compromised account and SPAM JR Ramirez (Apr 02)
- Re: Phishing, compromised account and SPAM Kevin Wilcox (Apr 03)
- Re: Phishing, compromised account and SPAM Mally Mclane (Apr 02)
- Re: Phishing, compromised account and SPAM Banks, Teresa E - (tbanks) (Apr 02)
- Re: Phishing, compromised account and SPAM Roger A Safian (Apr 02)
- Re: Phishing, compromised account and SPAM Pollock, Joseph (Apr 02)
- Re: Phishing, compromised account and SPAM Eric Schewe (Apr 02)
- Re: Phishing, compromised account and SPAM JR Ramirez (Apr 02)
- Re: Phishing, compromised account and SPAM Roger A Safian (Apr 02)
- Re: Phishing, compromised account and SPAM JR Ramirez (Apr 02)
- Re: Phishing, compromised account and SPAM Roger A Safian (Apr 02)
- Re: Phishing, compromised account and SPAM JR Ramirez (Apr 02)
- Re: Phishing, compromised account and SPAM Jones, Mark B (Apr 02)
- Re: Phishing, compromised account and SPAM Roger A Safian (Apr 02)
- Re: Phishing, compromised account and SPAM Frahm, Eric J Jr. (Apr 02)
- <Possible follow-ups>
- Re: Phishing, compromised account and SPAM Joseph Tam (Apr 03)
- Re: Phishing, compromised account and SPAM Bob Bayn (Apr 03)