Re: How does a university mail server stay on the good side of hotmail?

[Rich Graves <rgraves@carleton.edu>]

It's not my best writing, but this is pretty comprehensive: http://www.sans.org/reading_room/whitepapers/email/phishing-detecton-remediation_34082

Some things you should be able to put in place right away:

1) Monitor email logs for any mention of http://postmaster.info.aol.com, http://postmaster.yahoo.com, or mail.live.com/mail/troubleshooting. These serve as early warning that these ISPs are deferring connections from your site. If you fail to heed that warning, they will blacklist you.
2) Monitor Zimbra preferences for suspicious content in signatures or Reply-To, and automatically quarantine affected accounts before they can send any outbound spam. Some hints in the paper below. Georgia Tech has done some more advanced work.
3) Deploy a script for retroactive removal of reported phishing messages from inboxes. This is for the times when you become aware of something, but people haven't had a chance to click on it yet. See scripts in appendix of the paper below.

Some things that would more investigation:

1) Recent versions of Zimbra ship with Policyd. Configure it to enforce rate limits on outbound email. There are some hints on wiki.zimbra.com and in the Zimbra forums.
2) Feed authentication logs to a GULP-type system (google "grand unified logging program"). Stop unusual logons from Nigeria, anchorfree.com, etc.
3) Two-factor authentication.
4) Phish your own users. Inoculate every new user with a simulated phish that goes to a security awareness site.
5) Stick a novel image or CSS or JS on the Zimbra logon page. Fire an alert if that image ever gets a hit with unexpected Referer; it's probably a phish.
-- 
Rich Graves http://claimid.com/rcgraves
Carleton.edu Sr UNIX and Security Admin