Why university webmail systems are attractive to spammers

November 2, 2008

I think that there are reasons why university webmail systems are attractive to spammers, beyond the fact that they're there and have a good reputation. Unfortunately, universities offer an environment with a very attractive set of features.

First is the fact that they're accessible at all. Relatively few places have a reason to run a webmail system (or any sort of mail system) that the outside world can reach. Most organizations, even large ones, do not have lots of people that need access to the mail system from the Internet with relatively primitive tools. Needing only primitive tools is very useful for attackers, because it makes it much easier for spammers to exploit any passwords that they get.

(Many organizations actively don't want people to be able to get inside the firewall from random machines that only have a web browser, because said random machine may well be compromised.)

In fact, I think that there's basically three sorts of organizations like this: free webmail providers, commercial ISPs, and universities. I do not think that it is a coincidence that spammers have been exploiting all three (in roughly that order, webmail first, then ISPs, and now universities).

In this hierarchy of accessible webmail systems, universities have the advantage that they generally have a lot less anti-spam precautions than the first two. Large webmail providers have been worrying about spam for a long time, and even before spammers started exploiting the webmail systems of commercial ISPs, the ISPs had to worry about their own customers being spammers. Universities have not really had to worry about their own users being spammers until now, and are thus ripe for being exploited.

Finally, universities generally have lots of users, so the phisher can maximize the number of potential targets for a given amount of research effort (getting the information that they need to write a convincing phish letter and finding out email addresses to spam). If you have a day to work on a phish, targeting it against ten thousand users is likely to get you more results than targeting it against a few hundred.

Written on 02 November 2008.
« Why realistic UDP bandwidth testing is hard
Why vi has become my sysadmin's editor »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Nov 2 01:17:18 2008
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.