Educause Security Discussion
mailing list archives
Re: Email blacklists blocking campus mail servers
From: "Michael J. Kenney" <m.kenney () USCIENCES EDU>
Date: Mon, 8 Apr 2013 11:06:22 -0400
If funding permits, you might want to look into a cloud-based anti-spam solution to direct your outbound mail through.
This way if an account is compromised your email servers are never blacklisted. The vendor will give you a warning
regarding the offending account. However you should put some checks into place, as Harry stated below, in order to stop
the compromised account before getting a warning. We use Postini, but there are several other good options out there
such as ProofPoint and EdgeWave.
Information Security Officer
University of the Sciences
600 S. 43rd St. Philadelphia, PA 19104
m.kenney () usciences edu | www.usciences.edu
USciences: Where healthcare and science converge
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Harry
Sent: Thursday, April 04, 2013 12:57 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Email blacklists blocking campus mail servers
Lots of us have scripts in place to identify compromised accounts by the
frequency and volume at which mail is being sent.
Once a account meets that threshold you can take some action: reject
mail, change password, etc. Blacklisting usually doesn't happen on
"occasional" spam run with very low volume.
You'll need to implement the same thing in any webmail offerings.
Reach out to the service that blacklisted you and work with them to get
un-blacklisted (or is it de-blacklisted.. I never know).
If you use something like Nagios there's a plugin to check various
blacklist feeds and report/alert if a specific ip address is on the
blaclist. Implement this or something similiar so you know ASAP.
On 04/04/2013 12:40 PM, John Bambenek wrote:
I was wondering how many people had experience with this type of
incident where you campus mail servers got listed in email blacklists
for compromised accounts sending out spam.
How did you mitigate the problem once identified?