[38142] in Resnet-Forum
Re: SPAM!!
daemon@ATHENA.MIT.EDU (Umansky, Shawn)
Tue Apr 2 09:55:19 2013
Content-Language: en-US
Content-Type: multipart/alternative; boundary="_000_E9F8CA088AE7B645B6A412B2F7133AAA4A3D7E17SMCEXMBX01miken_"
MIME-Version: 1.0
Message-ID: <E9F8CA088AE7B645B6A412B2F7133AAA4A3D7E17@SMCEXMBX01.mikenet.smcvt.edu>
Date: Tue, 2 Apr 2013 13:54:50 +0000
Reply-To: Resnet Forum <RESNET-L@LISTSERV.ND.EDU>
From: "Umansky, Shawn" <SUmansky@smcvt.edu>
To: RESNET-L@LISTSERV.ND.EDU
In-Reply-To: <1E99E9626A9DAE4797E5DCAEE826923A0318FC135D64@EXV02.wcu.edu>
--_000_E9F8CA088AE7B645B6A412B2F7133AAA4A3D7E17SMCEXMBX01miken_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
This topic reminded me of something we implemented with our Barracuda spam =
filter appliances a while back.
A couple of years ago, we saw a spike in the number of phishing messages us=
ers reported receiving. These messages frequently posed as our campus IT H=
elpdesk and phished for user Active Directory credential information. Unfo=
rtunately, several users fell prey to this approach. In response, we creat=
ed a rule that checked for the word "password" on all incoming mail message=
s. Now, when that word is detected, it adds the following to the subject l=
ine of the mail message:
[**Possible SCAM email - Do not give out your password**]
There was an initial spike in Helpdesk calls, many of which were false posi=
tives, but that slowed down pretty quickly. However, more importantly, the=
number of compromised accounts dropped immediately. We found this to be a=
simple yet effective way of reminding users to use a bit more caution when=
responding to email requests.
Just thought I'd mention it, since it seemed relevant to the topic.
Shawn
Shawn L. Umansky
Network Engineer
Saint Michael's College
From: Resnet Forum [mailto:RESNET-L@LISTSERV.ND.EDU] On Behalf Of Andy Voel=
ker
Sent: Tuesday, April 02, 2013 9:13 AM
To: RESNET-L@LISTSERV.ND.EDU
Subject: Re: SPAM!!
LOL. Deb your email got marked as SPAM.
I replied to it to show you the text our filter inserts to warn people of p=
hishing attempts (which we saw a huge influx of about 6 months ago), but my=
reply was undeliverable.... Because it got marked as a reply to SPAM.
Apparently if you announce "SPAM!!" in the title it will flag it every time=
.
Check out spam *dot* wcu *dot*edu for our page to educate people about phis=
hing attempts.
-- Andy Voelker
Manager of Student Computing in the Technology Commons
WCU Staff Senator, UNC Staff Assembly
Western Carolina University
From: Resnet Forum [mailto:RESNET-L@LISTSERV.ND.EDU] On Behalf Of Deborah H=
ovey Boutchyard (dhovey)
Sent: Tuesday, April 02, 2013 9:01 AM
To: RESNET-L@LISTSERV.ND.EDU<mailto:RESNET-L@LISTSERV.ND.EDU>
Subject: SPAM!!
Have any of you seen a marked increase in the amount of SPAM that's getting=
through to users over the last couple of weeks? Our Barracudas are blocki=
ng as many as 9,000 SPAM messages an hour, but a ton of junk is still getti=
ng through!
Deb
UMW
___________________________________________________ You are subscribed to t=
he ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.=
EDU/archives/resnet-l.html ________________________________________________=
___
___________________________________________________ You are subscribed to t=
he ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.=
EDU/archives/resnet-l.html ________________________________________________=
___
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--_000_E9F8CA088AE7B645B6A412B2F7133AAA4A3D7E17SMCEXMBX01miken_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div class=3D"WordSection1">
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">This topic reminded me=
of something we implemented with our Barracuda spam filter appliances a wh=
ile back.<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p> </o:p></spa=
n></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">A couple of years ago,=
we saw a spike in the number of phishing messages users reported receiving=
. These messages frequently posed as our campus IT Helpdesk and phish=
ed for user Active Directory credential information.
Unfortunately, several users fell prey to this approach. In response=
, we created a rule that checked for the word “password” on all=
incoming mail messages. Now, when that word is detected, it adds the=
following to the subject line of the mail message:<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p> </o:p></spa=
n></p>
<p class=3D"MsoNormal"><b><span style=3D"color:#1F497D">[**Possible SCAM em=
ail - Do not give out your password**]<o:p></o:p></span></b></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p> </o:p></spa=
n></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">There was an initial s=
pike in Helpdesk calls, many of which were false positives, but that slowed=
down pretty quickly. However, more importantly, the number of compro=
mised accounts dropped immediately. We found
this to be a simple yet effective way of reminding users to use a bit more=
caution when responding to email requests.<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p> </o:p></spa=
n></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">Just thought I’d=
mention it, since it seemed relevant to the topic.<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p> </o:p></spa=
n></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">Shawn<o:p></o:p></span=
></p>
<p class=3D"MsoPlainText"><o:p> </o:p></p>
<p class=3D"MsoPlainText">Shawn L. Umansky<o:p></o:p></p>
<p class=3D"MsoPlainText">Network Engineer<o:p></o:p></p>
<p class=3D"MsoPlainText">Saint Michael's College<o:p></o:p></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p> </o:p></spa=
n></p>
<div>
<div style=3D"border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in =
0in 0in">
<p class=3D"MsoNormal"><b><span style=3D"font-size:10.0pt;font-family:"=
;Tahoma","sans-serif"">From:</span></b><span style=3D"font-s=
ize:10.0pt;font-family:"Tahoma","sans-serif""> Resnet F=
orum [mailto:RESNET-L@LISTSERV.ND.EDU]
<b>On Behalf Of </b>Andy Voelker<br>
<b>Sent:</b> Tuesday, April 02, 2013 9:13 AM<br>
<b>To:</b> RESNET-L@LISTSERV.ND.EDU<br>
<b>Subject:</b> Re: SPAM!!<o:p></o:p></span></p>
</div>
</div>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">LOL. Deb your email go=
t marked as SPAM.
<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p> </o:p></spa=
n></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">I replied to it to sho=
w you the text our filter inserts to warn people of phishing attempts (whic=
h we saw a huge influx of about 6 months ago), but my reply was undeliverab=
le…. Because it got marked as a reply
to SPAM. <br>
<br>
Apparently if you announce “SPAM!!” in the title it will flag i=
t every time.<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p> </o:p></spa=
n></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">Check out spam *<b>dot=
</b>* wcu *<b>dot</b>*edu for our page to educate people about phishing att=
empts.<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p> </o:p></spa=
n></p>
<div>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">-- Andy Voelker<o:p></=
o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">Manager of Student Com=
puting in the Technology Commons<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">WCU Staff Senator, UNC=
Staff Assembly<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">Western Carolina Unive=
rsity<o:p></o:p></span></p>
</div>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p> </o:p></spa=
n></p>
<div>
<div style=3D"border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in =
0in 0in">
<p class=3D"MsoNormal"><b>From:</b> Resnet Forum [<a href=3D"mailto:RESNET-=
L@LISTSERV.ND.EDU">mailto:RESNET-L@LISTSERV.ND.EDU</a>]
<b>On Behalf Of </b>Deborah Hovey Boutchyard (dhovey)<br>
<b>Sent:</b> Tuesday, April 02, 2013 9:01 AM<br>
<b>To:</b> <a href=3D"mailto:RESNET-L@LISTSERV.ND.EDU">RESNET-L@LISTSERV.ND=
.EDU</a><br>
<b>Subject:</b> SPAM!!<o:p></o:p></p>
</div>
</div>
<p class=3D"MsoNormal"><span style=3D"font-size:12.0pt;font-family:"Ti=
mes New Roman","serif""><o:p> </o:p></span></p>
<div>
<p class=3D"MsoNormal">Have any of you seen a marked increase in the amount=
of SPAM that’s getting through to users over the last couple of week=
s? Our Barracudas are blocking as many as 9,000 SPAM messages an hour=
, but a ton of junk is still getting through!
<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal">Deb<o:p></o:p></p>
<p class=3D"MsoNormal">UMW<o:p></o:p></p>
<p class=3D"MsoNormal"><span style=3D"font-size:12.0pt;font-family:"Ti=
mes New Roman","serif"">____________________________________=
_______________ You are subscribed to the ResNet-L mailing list.
<o:p></o:p></span></p>
<p>To subscribe, unsubscribe or search the archives, go to <a href=3D"http:=
//LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_blank">
http://LISTSERV.ND.EDU/archives/resnet-l.html</a> _________________________=
__________________________
<o:p></o:p></p>
</div>
<p class=3D"MsoNormal"><span style=3D"font-size:12.0pt;font-family:"Ti=
mes New Roman","serif"">____________________________________=
_______________ You are subscribed to the ResNet-L mailing list.
<o:p></o:p></span></p>
<p>To subscribe, unsubscribe or search the archives, go to <a href=3D"http:=
//LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_blank">
http://LISTSERV.ND.EDU/archives/resnet-l.html</a> _________________________=
__________________________
<o:p></o:p></p>
</div>
</body>
</html>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to <a href=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_blank">http://LISTSERV.ND.EDU/archives/resnet-l.html</a>
___________________________________________________
--_000_E9F8CA088AE7B645B6A412B2F7133AAA4A3D7E17SMCEXMBX01miken_--
