Chris's Wiki :: blog/spam/LocalSpamIncident Commentshttps://utcc.utoronto.ca/~cks/space/blog/spam/LocalSpamIncident?atomcommentsDWiki2012-09-02T05:01:03ZRecent comments in Chris's Wiki :: blog/spam/LocalSpamIncident.From 75.108.51.208 on /blog/spam/LocalSpamIncidenttag:CSpace:blog/spam/LocalSpamIncident:0ab8e7414f74c5add806efdbff4abe63f2495f1aFrom 75.108.51.208<div class="wikitext"><p>When I worked at a University, we saw the same issue. The phishing attempts (as well as the resultant spam messages) all started on a Friday or Saturday afternoon/evening with the idea that we wouldn't be around to detect them and sufficiently block them. </p>
<p>After a few incidents which caused our sender reputation to drop (and subsequently cause legitimate outgoing messages to be denied by various mail servers that bothered to check), we implemented a system which would add a header to any outgoing mail from any user that exceeded a particular quota per day. We then used our existing outgoing spam system to look for that header and quarantine any messages exceeding the quota. </p>
<p>We also setup monitoring to alert when we started quarantining messages based on this header, so that we could quickly determine if the messages were legitimate or indeed spam (allowing us to update filters, reset passwords on accounts, notify users, etc). This also allowed us to keep the filter list on outgoing mail small in comparison to our incoming mail filters, since we had a lot of outgoing legitimate messages that tended to look like spam to our normal set of incoming filters
(fundraising, survey, and departmental update emails in particular).</p>
</div>2012-09-02T05:01:03ZFrom 84.196.14.21 on /blog/spam/LocalSpamIncidenttag:CSpace:blog/spam/LocalSpamIncident:802ef5a49a44541f45b2fd0464351095a19212f6From 84.196.14.21<div class="wikitext"><p>I've seen this several times as well. It always follows the exact same pattern, first a targeted phishing attack to obtain usernames and passwords and then they use the available webmail interface to send spam.</p>
<p>We block the phishing mails as soon as possible, but by then its already to late. Thousands will have gotten through. We also block all the responses to that message to reduce the number of compromised accounts. Of course the spammers are smart enough to launch these attacks during the weekend when response times are typically slower. </p>
<p>Outbound spam scanning has been active here for years. In fact, we usually notice these events just because the queues fill up.
There is no easy way to fix this.. other than rate-limiting requests to webmail and any other system that can be used in a similar manner.</p>
</div>2012-08-27T08:16:41Z