[41635] in Resnet-Forum
Re: Phishing victims' turned into spammers
daemon@ATHENA.MIT.EDU (Steven Tardy)
Tue Apr 18 13:29:47 2017
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (1.0)
Content-Transfer-Encoding: 8bit
Message-ID: <554233B1-62AA-441A-AA00-1961A98E98C6@gmail.com>
Date: Tue, 18 Apr 2017 12:58:34 -0400
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: Steven Tardy <sjt5atra@GMAIL.COM>
To: RESNET-L@listserv.nd.edu
In-Reply-To: <DM5PR05MB34651882987F1C58627618A8B1060@DM5PR05MB3465.namprd05.prod.outlook.com>
> On Apr 17, 2017, at 9:26 AM, WILLIAM J. DIDOMENICO <didomenico@LYCOMING.EDU> wrote:
>
> victim to phishing emails are having their email accounts used to send more spam and phishing emails,
As a former email sysadmin at a .edu which averaged about 1 phished account per day. We wrote several scripts in house to review log data for indicators of phishers (don't remember all but included):
Accounts logging in from multiple (ignoring neighborhood ISPs/ASNs) network geos. Logged in from campus and 5 minutes later from Nigeria/India/etc? Probably not.
Add phisher IPs to watch list as the phishers reuse the same IPs for a few days.
Phish the phishers by providing them "credentials" and have a script watch for failed login attempts using that fake account.
Watch logs for multiple emails(10+) to many people(20-50) (high false positive rate but would catch phishers when other things wouldn't).
Watch email outstanding queues and successfully sent emails for spikes.
Watch email logs for phisher test messages as the phisher would often send a test email to yahoo and gmail and one other large email provider hours before doing bulk spam.
Add phisher test email accounts to watch lists.
Hope that helps!
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
