That’s right, a trusted educational institution that is familiar to just about anyone in the United States was unable to have email delivered because they were thought to be spammers. According to reports, not only were third party ISPs like Hotmail, Gmail and Yahoo! blocking email from the University’s domain; but other universities as well.
The blacklisting was legitimate. The domain was sending copious amounts of spam, but it wasn’t on behalf of the University. Generally, overaggressive email marketing campaigns can result in a domain mistakenly being blacklisted, but this wasn’t what caused emails to be scrutinized in this instance. According to the University’s Campus Information Technologies and Educational Services, CITES, department their servers were actually being used by illicit spammers.
How this happened
According to CITES chief communication office Brian Mertz:
“It’s the worst scam I’ve seen since I started in 2005. This campaign is particularly aggressive.”
The campaign he refers to started with a phishing attack.
Victims received an email that directed them to enter their account credentials, usernames and passwords, into a fake account. If they didn’t, they were warned, then their account would be blocked. Fearing the loss of their email service, and not being able to spot the obvious signs of a phishing attack, the victims handed over the information needed to compromise their accounts. In a short time, the attackers had enough accounts to start launching a rather heavy spam campaign.
When many of these messages were bounced back due to being sent to non-existent or closed email accounts, the filtering systems started to take notice and determined that the University of Illinois was up to no good.
This could have been avoided
Most likely, the University had spam filtering in place. Other universities who have fallen victim to similar attacks most likely had spam filtering in place as well. But incoming spam filtering wouldn’t have stopped these attacks because the emails coming in were likely crafted to look legitimate.
The proper technical controls, combined with user education, could have stopped this from happening though.
Certain email security systems can be configured to send emails from new senders to be sent to a specific folder in the recipient’s inbox. If a message appears here that claims to be from the University itself, then the recipient should be clued in that something is not quite right with the claims made in the message.
Modern day anti-spam filters also look for terms, and methodologies, common to phishing as well as spam. Had this been in place the possibility of this attack being successful may have been reduced as well.
As an added layer to the security solution, proper user training would have helped mitigate this attack. If users were taught how to spot phishing emails, and what to do when they suspect they have received one, the email administrators may have had time to stop the outgoing spam, or at least know what to look for.
Which brings us to another piece of the puzzle. Anti-spam solutions that are effective also scan outgoing emails for anomalies to help protect the reputation and integrity of the organization. With this type of protection in place, spammers have a much harder time using an organization’s mail servers as their own to flood their victims with junk email messages.
As the email administrator, it is your responsibility to do everything in your power to protect your mail systems from attack. If you are not employing the best filtering protection you can afford, if you are not training your users effectively and if you are not aware of what is being sent by your organization’s email servers then you are dropping the ball when it comes to security.
Many times, the intent of the email admin is to do what he or she can to protect their assets but their plans fall short due to budget constraints or a lack of manpower. If you find yourself having to defend email security to your boss as this question:
“If a well-known, prestigious university could find their email blocked what is to stop your small-medium sized business from seeing their email turned away?”