Phising Prevention

Not so long ago my university’s email got blacklisted by Comcast and Microsoft due to large amounts of spam streaming from our network. This lovely email explains the details of the situation:

To Our Campus Community-

Information Technology has received several reports from users that email sent from mail.montclair.edu accounts to Hotmail.com, MSN.com, and Comcast.net email addresses are being returned as non-deliverable.

Upon further investigation we have determined that Hotmail and MSN (both owned by parent Microsoft Corp.) as well as Comcast have put the montclair.edu email domain on a “blacklist’ for alleged spam activity and are temporarily refusing to accept mail from our campus server.

Information Technology has contacted all three ISPs to request that our domain be removed from their blacklists. As of this writing, only Comcast has responded to our request and removed us from their blacklist.

How did this happen?

Last week there was an email “phishing” scam circulating that asked users to respond with their email account name (NetID) and password. A handful of users contacted IT to say that they had mistakenly responded to that phishing scam and provided their NetID and password. It is likely that other users may have done something similar but have not yet contacted IT.

Even just a few compromised mail.montclair.edu accounts can be used by spammers to send thousands of spam messages from our domain. We believe it was exactly this scenario that landed us on the Hotmail, MSN, and Comcast blacklists.

Note: If you responded to the phishing scam last week please change your NetID password immediately by going to the NetID account form at https://netid.montclair.edu

As a reminder: Montclair State’s Division of Information Technology will *never* under any circumstances ask you to provide your password, social security number, or other personal information via email. Any email you receive asking for such information, regardless of the alleged source, should be considered fraudulent and deleted immediately.

We apologize for any inconvenience this situation has caused, and will update this list as soon as we get confirmation of our removal from the Hotmail and MSN blacklists.

It seems that the issue was resolved quite swiftly the same day actually. Here is the follow up email:

To Our Campus Community-

This is an update to my previous email regarding blocked email delivery to Hotmail.com and MSN.com accounts.

As of 6am this morning, Friday August 8th, Microsoft Corp has lifted the anti-spam block for mail.montclair.edu and is now accepting mail from our domain. Any messages that you had attempted to send to Hotmail or MSN address that were returned as non-deliverable will need to be re-sent.

Again, we apologize for any inconvenience this temporary block may have caused. We hope that through continued diligence by our user community to avoid phishing scams, and some additional configuration of our outbound mail gateway we can prevent further blacklisting incidents in the future.

Then it happened again:

To Our User Community-

Information Technology was alerted late last night (Sunday August 17th) that Hotmail.com and by affiliation MSN.com have again placed the mail.montclair.edu domain on their blacklist for alleged spam activity.

We have contacted Microsoft and they have indicated that the blacklisting will be lifted tomorrow, August 19th at Noon. Until then,
any mail sent to hotmail.com or msn.com addresses will bounce back as non-deliverable.

It is unfortunate that Hotmail/MSN has taken this action without any pro-active notification to the University and without any detail as to what conditions caused us to be blacklisted.

In the coming weeks Information Technology will be reviewing our anti-spam policies and the configuration of our outbound email gateways in an effort to minimize these arbitrary blacklisting incidents by Hotmail and other major ISP’s.

Being blacklisted once is bad enough. Being blacklisted twice indicates that OIT didn’t learn anything from the first incident, and failed to take any preventative actions. I don’t think we can dump this on users alone. After all, every organization, and corporate entity out there has a number of computer illiterate staff members who are likely to fall pray to phishing. And yet they somehow manage to steer clear from these blacklists. User education is important, but it is hard to teach people who hardly ever use email about email security.

This is not a user problem – this is an institutional issue. I personally believe that OIT (MSU’s IT branch) could have prevented this from happening by immediately taking couple of preventative steps and tightening their security policies after the first incident. The following three questions are the key to understanding what went wrong here:

  1. How do Phishers and Spammers obtain valid MSU emails?
  2. How do we prevent compromised account from sending massive amounts of email?
  3. How do we identify compromised accounts and disable them before they become a liability?

The first question is trivial. The answer is located on the OIT page itself, and if you ask a random computer science student hanging out in the CS Department area he/she will probably be able to show you how to poll university systems for emails, and brag about their perl/python script which can pull thousands emails according to some rules or self imposed requirements (ie. stealth, speed etc..) from anywhere in the world, and without any authentication. Yeah, we all wrote those. I think most of us give up trying to alert the OIT about this around the sophomore year and just learn to accept it. I never gave my script to anyone, and deleted the email addresses I collected from my hard drive. I could have sold them to spammers – and so could other students. How many of them did? That’s a good question. Besides, I’m pretty sure that if we figured it out quite a few spammers figured it out as well by now.

The other two questions are there for OIT. I don’t know the answers. I suspect that the first one is probably “we don’t”. There is storage quota but I believe there is no email volume quota on student accounts which is both a good thing and a bad thing. It is a good thing, because quota’s suck. It is a bad thing because a compromised account can really spew out large amounts of crap before someone notices anything. I trust that someone is watching over these things. At least I hope that there is a monitoring script somewhere that sends out an email to the sysadmin saying something among the lines of: “BTW, you might want to know that this one student just sent 10 million emails yesterday”. But alas, I do not know whether we have it or not. I can just hope we do.

I believe there is a policy for disabling compromised accounts but I don’t know whether there is a process. And if there is, it is obviously not efficient enough if we get blacklisted this easily. My solution would be to look at question #1 REALLY closely, because that is the big one. Fix that, then revise the process, and perhaps introduce some generous quota and more aggressive monitoring.

There is not much I can help with from the institutional part though. I don’t really have a say in these matters. I can however help with the user education, ~30 students at a time. And this is what I will do. The coming semester I will try to put more emphasis on Phishing, Pharming, online scams and social engineering in general. That will be my input into fixing this issue. OIT has to do the rest.

This entry was posted in school and teaching and tagged . Bookmark the permalink.



5 Responses to Phising Prevention

  1. Luke Maciak UNITED STATES Mozilla Firefox Windows Terminalist says:

    Nothing ever changes around here, eh?

    Reply  |  Quote
  2. ZeWrestler UNITED STATES Mozilla Firefox Windows says:

    sadly no. whats worse, msu isn’t unique.

    Reply  |  Quote
  3. Alphast NETHERLANDS Mozilla Firefox Linux Terminalist says:

    I think Phisers and virus makers, if ever caught (I don’t know if it ever happens) should be given long term sentences and a public spanking… I bet they wouldn’t do it again.

    Reply  |  Quote
  4. Luke Maciak UNITED STATES Mozilla Firefox Ubuntu Linux Terminalist says:

    @Alphast – I think they do get caught, but not often or quickly enough. :(

    Reply  |  Quote

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>