[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Non Zimbra question and I hope that is ok if this type of thing is not abused.

To: zimbra-hied-admins <zimbra-hied-admins@sfu.ca>
Subject: Re: Non Zimbra question and I hope that is ok if this type of thing is not abused.
From: Steve Hillman <hillman@sfu.ca>
Date: Mon, 22 Aug 2011 11:53:08 -0700 (PDT)
In-reply-to: <215299302.23545.1314036934997.JavaMail.root@bergamot.serv15.eiu.edu>
List-help: <mailto:zimbra-hied-admins-request@sfu.ca?subject=help> (List Instructions)
List-id: <zimbra-hied-admins.sfu.ca>
List-owner: <mailto:owner-zimbra-hied-admins@sfu.ca>
List-unsubscribe: <mailto:zimbra-hied-admins-request@sfu.ca?subject=unsubscribe>

I should mention that we've also developed a Zimlet that places a "report phishing" button in the Web UI. A user can click on a message and then click on "report phishing" to have a copy of the message (with full headers) sent to our Abuse address. Sadly many (most?) reports are false positives, but it still allows our abuse team to see a phishing message even if they themselves don't receive a copy. Next steps are to integrate the Zimlet with some of the public phishing URL databases so that the zimlet can prescan the email and see if any known phishing links are present

We get enough compromised accounts now that I'm working on fully automating the response to a compromised account. It will:

- block access to the account
- kill any active sessions and report on where they were from (IPs)
- delete quarantined messages
- notify the user (via email to their defined external contact address, if available) and key university staff
- reset all Zimbra settings that are often tweaked by spammers

----- Original Message -----
> ...
>  Also, when we get a report of a phishing email,
> we look at it and what kind of things it's asking the person to
> do...click a link, respond to the email...etc.. If it's one where they
> click a link, our IT Security group will look to have the ip block for
> outbound access, contact the owner of the site(usually it's a
> compromised site), and also look for who may have gone to the ip based
> on network logs). If it's a "reply" email, we set up a filter to
> automatically block any email with the content in question for our
> outbound mta and notify us if anyone does reply. We can then use that
> data to contact the users who have clicked or replied and "train" them
> not to do that. We have found many people that reply with "don't
> bother me" or "I know this is fake"...or click the link just to see
> what it does.
> 
> If we have someone who does get their account compromised, we lock the
> account, verify it's truly compromised, and attempt to contact the
> user. 

-- 
Steve Hillman                                IT Architect
hillman@sfu.ca                               IT Infrastructure
778-782-3960                                 Simon Fraser University

References:
- Re: Non Zimbra question and I hope that is ok if this type of thing is not abused.
  - From: David Emmerich <dpemmerich@eiu.edu>

Prev by Date: Re: Non Zimbra question and I hope that is ok if this type of thing is not abused.
Next by Date: Re: Non Zimbra question and I hope that is ok if this type of thing is not abused.
Previous by thread: Re: Non Zimbra question and I hope that is ok if this type of thing is not abused.
Next by thread: Re: Non Zimbra question and I hope that is ok if this type of thing is not abused.
Index(es):
- Date
- Thread