Re: Response to phishing e-mails

[Bob Bayn <bob.bayn () USU EDU>]

A = phish link
B = sender address
C = subject line
D = approx number of recipients (a minimum estimate, usually)
E  = timestamp of entry into the spreadsheet and reporting (not timestamp of the message)
F = contact address for the host of the email message (if not abuse@ and helpdesk@ which I generally try)

If you look down at the bottom of the spreadsheet, you can see that I started out just recording A, B and C.

I report all links to google as well as to the hosting service (or hacked website, when possible) and to our own 
Cisco/Ironport mail filtering system.  I keep the messages for "a while" but don't use them much after saving them.

I hope I don't regret putting that spreadsheet out in the public archives for this list!
Bob Bayn      SER 301      (435)797-2396    IT Security Team
Office of Information Technology,         Utah State University
    Do you know the "Skeptical Hover Technique" and
    how to tell where a web link really goes?  See:
    https://it.usu.edu/computer-security/computer-security-threats/articleID=23737

________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Brad Judy 
[brad.judy () CU EDU]
Sent: Monday, October 27, 2014 1:06 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Response to phishing e-mails

Bob,

I really like your tracking sheet – I do something similar here for our much smaller volume (small population – just 
administrative staff).  I assume Column B is the “From” address and perhaps column F is the “Reply-to” address?  Is 
column D the number of recipients (or maybe number of people who reported it)?

I might borrow a couple of your columns and if I may suggest, I also have columns in mine for the date is was reported 
to: domain/site owner, Google, Microsoft, PhishTank, Symantec (our AV vendor).  I have a column for the filename of a 
screenshot of the webpage (if appropriate) and keep a folder of those screenshots.  I also have a folder of copies of 
the full raw messages so I preserve headers and such.


Brad Judy

Director of UIS Security
University Information Systems
University of Colorado
1800 Grant Street, Suite 300
Denver, CO  80203
Office: (303) 860-4293
Fax: (303) 860-4302
www.cu.edu

[cu-logo_fl]



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bob Bayn
Sent: Monday, October 27, 2014 12:31 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Response to phishing e-mails

Coincidentally, I just gave a presentation at a security conference on what we do (which is to ENCOURAGE those 
reports).  See:  https://it.wiki.usu.edu/CreatingPhish-ResistantInternetSkeptics

And also take a look at our log of reported phish message, over 4000 in the past year, at:
https://docs.google.com/spreadsheet/ccc?key=0AlMnxApOMKl_dEhVa3RCRG5uclVZNFZrY3hOSmFpaUE&usp=sharing

Bob Bayn      SER 301      (435)797-2396    IT Security Team
Office of Information Technology,         Utah State University
    Do you know the "Skeptical Hover Technique" and
    how to tell where a web link really goes?  See:
    https://it.usu.edu/computer-security/computer-security-threats/articleID=23737<UrlBlockedError.aspx>
________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Leland Lyerla 
[llyerla () UU EDU]
Sent: Monday, October 27, 2014 12:23 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Response to phishing e-mails
As they become more aware of how to identify phishing e-mails, our faculty and staff let us know via e-mail when they 
come across one in their in-box. I do not want to discourage their vigilance, but I would appreciate any suggestions on 
how to manage/respond to these messages.

Leland