We're seeing some of this too. The Nigerian phishes for a few accounts
here and there probably acquired from a spammer email list, and uses one
webmail system to email users on their other webmail system. They send
something official looking asking for passwords, banking numbers, birth
dates, etc all the information they can phish for. The return address is
typically a phished webmail account they'd broken into somewhere else.
We put notices up to tell customers we won't ask for their password or
other information via email because we either don't need it or already
have what we need, and that method is not a good way to do it anyways.
The squirrelmail logs in the email headers the authenticated
squirrelmail user and the web client's IP address, so it's easy to track
which accounts were compromised. We lock their accounts and have a
customer service person have an educational chat with the actual end
user before assigning a new different password.
I think they manually log in, paste a message in, then paste in a string
of email addresses to send it to. Their labor is cheap really, and they
are effective at getting information out of people.
We have a manual block list of IP ranges that we don't allow to access
the squirrelmail server. They are all african IPs. If we catch a
phisher, we put the whole class-c or class-b from which they came into
the block. We haven't had any complaints, and the incidences of abuse
have dropped way off. I'm sure it's not due to end users wising up.
Unfortunately, if people's email accounts are getting phished, some
manual customer service/education/management/care is needed, regardless
of what email software we use or our collaborative computer science
aptitude.
On Sun, Mar 01, 2009 at 02:50:37PM -0500, Joseph Brennan wrote:
>
>
>> If your users are consistently getting their passwords stolen, then your
>> users are idiots and you will need to do something like add a captcha to
>> the webmail login page.
>
>
> If it's the Nigerian gangs that have been attacking university web mail
> for about 12 months now, they are phishing your users with official
> looking notices that ask the user to send account and password. If so,
> captcha won't do it.
>
> I agree it's not exactly a Spamassassin problem. But chances are
> the outbound mail would score pretty high, and spam score could be used
> by some other filter as a trigger to stop the mail from going out. And
> of course a sudden increase in volume from a user could also trigger.
>
> Joseph Brennan
> Columbia University Information Technology
>
>
--
/*
Jason Philbrook | Midcoast Internet Solutions - Wireless and DSL
KB1IOJ | Broadband Internet Access, Dialup, and Hosting
http://f64.nu/ | for Midcoast Maine http://www.midcoast.com/
*/
