Still Don’t Want to Take Email Security Seriously?

The letterRecently, the University of Illinois found their email domain blacklisted as being a source of spam.

That’s right, a trusted educational institution that is familiar to just about anyone in the United States was unable to have email delivered because they were thought to be spammers. According to reports, not only were third party ISPs like Hotmail, Gmail and Yahoo! blocking email from the University’s domain; but other universities as well.

The blacklisting was legitimate. The domain was sending copious amounts of spam, but it wasn’t on behalf of the University. Generally, overaggressive email marketing  campaigns can result in a domain mistakenly being blacklisted, but this wasn’t what caused emails to be scrutinized in this instance. According to the University’s Campus Information Technologies and Educational Services, CITES, department their servers were actually being used by illicit spammers.

How this happened

According to CITES chief communication office Brian Mertz:

“It’s the worst scam I’ve seen since I started in 2005. This campaign is particularly aggressive.”

The campaign he refers to started with a phishing attack.

Victims received an email that directed them to enter their account credentials, usernames and passwords, into a fake account. If they didn’t, they were warned, then their account would be blocked. Fearing the loss of their email service, and not being able to spot the obvious signs of a phishing attack, the victims handed over the information needed to compromise their accounts. In a short time, the attackers had enough accounts to start launching a rather heavy spam campaign.

When many of these messages were bounced back due to being sent to non-existent or closed email accounts, the filtering systems started to take notice and determined that the University of Illinois was up to no good.

This could have been avoided

Most likely, the University had spam filtering in place. Other universities who have fallen victim to similar attacks most likely had spam filtering in place as well. But incoming spam filtering wouldn’t have stopped these attacks because the emails coming in were likely crafted to look legitimate.

The proper technical controls, combined with user education, could have stopped this from happening though.

Certain email security systems can be configured to send emails from new senders to be sent to a specific folder in the recipient’s inbox. If a message appears here that claims to be from the University itself, then the recipient should be clued in that something is not quite right with the claims made in the message.

Modern day anti-spam filters also look for terms, and methodologies, common to phishing as well as spam. Had this been in place the possibility of this attack being successful may have been reduced as well.

As an added layer to the security solution, proper user training would have helped mitigate this attack. If users were taught how to spot phishing emails, and what to do when they suspect they have received one, the email administrators may have had time to stop the outgoing spam, or at least know what to look for.

Which brings us to another piece of the puzzle. Anti-spam solutions that are effective also scan outgoing emails for anomalies to help protect the reputation and integrity of the organization. With this type of protection in place, spammers have a much harder time using an organization’s mail servers as their own to flood their victims with junk email messages.

As the email administrator, it is your responsibility to do everything in your power to protect your mail systems from attack. If you are not employing the best filtering protection you can afford, if you are not training your users effectively and if you are not aware of what is being sent by your organization’s email servers then you are dropping the ball when it comes to security.

Many times, the intent of the email admin is to do what he or she can to protect their assets but their plans fall short due to budget constraints or a lack of manpower. If you find yourself having to defend email security to your boss as this question:

“If a well-known, prestigious university could find their email blocked what is to stop your small-medium sized business from seeing their email turned away?”

Written by Jeff

3 Comments

  1. Matt · April 13, 2013

    This is just scary! If a trusted institution can be blacklisted because of lack of email security, what about unknown companies that don’t have this university’s resources to protect themselves against spam? Additionally, the users in a university network are generally more knowledgeable than users in the average non-tech company, so if this could happen to them, the risks for the general population are really huge!

  2. Marissa Grace · April 26, 2013

    Wow, this news simply blew me away! And like Matt, I am scared! I run a small home business and I depend greatly on the Internet (the email, more specifically) for my marketing needs. I operate on a day-to-day basis, with the help of three personnel. If an institution as major as the University of Illinois can be a victim of online criminals, then chances are high that my small business can also be victimized and blocked by these no-good scammers! I guess I’ll have to stretch my budget a little and get some tight, legit and reliable email security!

  3. Glenn · April 30, 2013

    We can definitely get plenty of golden nuggets of wisdom here, chief of which is DO NOT TAKE ONLINE SECURITY THREATS FOR GRANTED. It does make me feel really bad every time companies or organizations lack sufficient security support, like spam is as simple as an annoying e-mail about penile enhancement or some other unheard-of pills. They should start realizing ASAP that it can hurt them really bad.

Leave A Reply