Terry Zink: Security Talk

Discussing Internet security in (mostly) plain English

ZDNet: 1.5m spam emails sent from compromised University accounts

ZDNet: 1.5m spam emails sent from compromised University accounts

  • Comments 9

Box of Meat antispam blog has a link to an article on ZDNet: 1.5m spam emails sent from compromised University accounts.  Some excerpts:

“Hackers gained access to the University of Otago staff email server recently and used it to send out an estimated 1.55 million spam emails in 60 hours, after tricking four staff members into revealing their login details. The huge volume of spam mail resulted in legitimate emails being rejected or delayed by other systems, information services manager Mike Harte said. They were re-sent once the spam attack was over. The staff members responded to “spear phish” emails which claimed to be from the IT department and asked people to reconfirm their user names and passwords or their email access would be withdrawn.”

The spammers didn’t just abuse the clean IP reputation of the University, they also had its mail servers blacklisted thereby causing a DoS attack to its staff and students.

I can personally confirm that education institutions are one of the worst offenders for having email accounts compromised and then having spammers start spewing out a whole pile of spam through those accounts.  The result is that the service's outbound IPs get tarred and feathered across certain receivers of email and certain blocklists.

I'd like to say that those guys (universities) need to crack down on security and protect their passwords, but it's a tall order.  How do you monitor an entire population of students and faculty?  Even if 99.9% of people in a 20,000 person campus keep their passwords secure, there are still 20 people who might hand them over.  That's plenty for a spammer to abuse. 

Leave a Comment
  • Please add 8 and 7 and type the answer here:
  • Post
  • PingBack from http://hubsfunnywallpaper.cn/?p=1210

  • "I can personally confirm that education institutions are one of the worst offenders for having email accounts compromised and then having spammers start spewing out a whole pile of spam through those accounts."

    I find it interesting that you would draw this conclusion.  Do you really rank education institution worse than the freemail providers?  Perhaps the reason for this fallacy is due to the fact that universities are more willing to publish numbers.  I've yet to see Google or Microsoft even admit to the fact that they host spammers, much less publish numbers.

  • Perhaps you'd like to take a look at the list archives for the "higher education email administrators mailing list" to see how much effort higher educations are putting into stopping this problem?

    http://listserv.nd.edu/cgi-bin/wa?A0=HIED-EMAILADMIN

    The answer is: A lot.

  • I would like to see how the author "can personally confirm" this. As a University admin I CAN in fact personally confirm we do A TON of work attempting to stop outbound spam. Sometimes at the risk of angering constituents and spending money that could have been used to improve education.

  • Darren,

    I can personally confirm this because we have problems with outbound spam.  By backtracking back to the source of it, educational institutions are by far over-represented as the source of the outbound spam.

  • Anon,

    While I don't doubt that higher education email admins are putting in a lot of work to educate users, as I say to Darren, most of our outbound spam problems are over-represented by universities.  Like us, I agree that it is an uphill battle.

  • Of the 40 reply-to addresses in these phishing messages that I'm currently logging and blocking:

    19 are in the live.com or hotmail.com domain

    10 are in the gmail.com domain

    Also, keep in mind that maybe university accounts are being compromised because they are attacked more often than, say, ISP accounts that offer limited services to the account holder. Assuming that a higher attack rate should be taken into account when judging the security of a population....or a platform.

  • Also note that my company doesn't send out email for Hotmail, Gmail, etc.  That would change my perspective completely.

  • Your company doesn't send out email for Hotmail?  Then what does your company do, contract with some other company to send out email for Hotmail?

Page 1 of 1 (9 items)