[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Non Zimbra question and I hope that is ok if this type of thing is not abused.
We have an Ironport appliance as our outbound mta with rate-limiting thresholds. That alone has probably helped keep us off of blacklists, pretty effectivly, when we have a compromised account. We also have a script that runs on the Zimbra mta's every 10 minutes to check the queue length. If it gets over a certain threshold, we know that the ironport appliance has rate limited us and we now likely have a compromised account. Also, when we get a report of a phishing email, we look at it and what kind of things it's asking the person to do...click a link, respond to the email...etc.. If it's one where they click a link, our IT Security group will look to have the ip block for outbound access, contact the owner of the site(usually it's a compromised site), and also look for who may have gone to the ip based on network logs). If it's a "reply" email, we set up a filter to automatically block any email with the content in question for our outbound mta and notify us if anyone does reply. We can then use that data to contact the users who have clicked or replied and "train" them not to do that. We have found many people that reply with "don't bother me" or "I know this is fake"...or click the link just to see what it does.
If we have someone who does get their account compromised, we lock the account, verify it's truly compromised, and attempt to contact the user. If it's an employee, due to possibility of sensitive information, the account is not reopened until the password is changed and our IT Security group has talked with the person to make sure there was no sensitive data compromised. If it's a student, we lock the account, attempt to notify the student and have them change their password. When that is done we unlock the account. In both instances, upon unlocking the account, we also work with the person to verify there are no forwards, odd signatures...and other account changes that we've seen from compromised accounts.
----- "M. Brent Harp" <brharp@uoguelph.ca> wrote:
> On Mon, Aug 22, 2011 at 10:46:30AM -0400, Steve Elliott wrote:
> > Situation: We have staff/faculty on our campus that don't realize
> that you give out your email login data, including password to
> phishing emails. So we get compromised accounts.
> > We are in the works of putting an external MTA (barracuda system)
> that our Zimbra email will be filtered through if it leaves campus. Of
> course this may hit some good emails with the bad ones. Though I
> routinely check to see if we have a rogue account they usually have
> 2-4 hours of uninterrupted time, especially during the night hours
> where they can spam their hearts out.
> >
> > Question: What solutions do you use to help in those situations?
>
> We have installed a Postfix policy server on all of our mailbox
> servers
> that counts the number of recipients for each outgoing message and
> keeps a running tally for each sender address. When a daily threshold
> is exceeded, Postfix rejects any further messages from that sender
> until the timer rolls over or we manually reset the counter. We can
> whitelist individual senders, but in practice we have not had many
> false positives. We adjust the limit as necessary, but it is usually
> a
> few thousand recipients per day.
>
> --
> M. Brent Harp
> Analyst
> Computing and Communications Services
> University of Guelph
> Guelph, Ontario, Canada N1G 2W1
> Tel: 519-824-4120 ext 56621
> Fax: 519-767-1060
> E-mail: brharp@uoguelph.ca
> www.uoguelph.ca/ccs
--
David Emmerich
----------------------------------------------
Manager ITS User Services
Eastern Illinois University