Informs and engages the UNB community on IT developments and news

Management Briefing - Phishing attacks pose problems for UNB email

Author: ITS

Posted on May 3, 2013

Category: Management Briefings

Background On April 22, and again on May 1, a highly organized group of spammers attacked UNB’s email infrastructure by obtaining and using the usernames and passwords of UNB employees to send over a million spam emails through our servers, resulting not only in severe degradation of service, but also UNB being placed on external email watch and blocking lists. Both intrusions were the result of successful phishing attacks. Phishing attacks are email campaigns directed to all UNB students, faculty and staff asking them to provide their username and password for some (usually plausible) reason, such as impending account suspension or exceeded quotas. As you may have noted yourself, some of these messages are quite convincing, and appear to be from legitimate sources such as ITS or some other internal unit or individual (there were some very realistic ones recently purporting to be from President Campbell—they even included a photo from our website). In the recent cases, UNB employees responded to the phishing by providing their usernames and passwords. This is all the spammers needed; they logged into our outgoing email server and started sending out their spam—hundreds of thousands per hour, over a million in all. To give some context, UNB staff and faculty generate an average of 64,800 email messages per day, including systemgenerated email such as Footprints tickets (UNB’s issue tracking service). The spam messages clogged our servers, and not surprisingly caught the attention of external spam‐monitoring services, which quickly ‘blacklisted’ UNB email as spam. Once on such a list, UNB has to work hard to earn back trust; with 2 major incidents in a row, we have little credibility with the monitors. What are we doing about it? 1. On May 1, ITS removed the ability to send mail directly from the email system to the outside world. Users who have migrated to the ConnectEd service are unaffected, but it prevents spammers from connecting directly to our infrastructure and sending massive amounts of spam. Legitimate users from off‐campus are required to use the VPN (Virtual Private Network) service available via the myUNB portal to connect to enterprise services such as email. 2. We are deploying a new email server with automated safeguards to help protect against email abuse. We are imposing a system limit that will allow single users to send no more than 100 emails per hour, and no more than 500 per day. This new server will not be blacklisted by the external monitoring services unless further incidents occur. This will be operational by mid‐May. 3. We are de‐commissioning the old webmail system currently used by retired UNB faculty and staff who have not yet migrated to the ConnectEd service—they must be migrated over time. 4. To improve UNB’s overall reputation as an institution and a responsible Internet user, and to comply with technical and legal requirements for mass email services, we strongly advise legitimate users of mass mailings (e.g. Advancement, Student Services, etc.) to identify and use third‐party solutions that provide this kind of service, but without the stigma of spam abuse; these services are well‐known to monitors and are always vigilant in detecting unwanted attacks. ITS is aware of several services, including Sendable, Constant Contact, MailChimp, etc. 5. The current UNB ePublications system is 10 years old and must be retired. It will be replaced with a new system that leverages the myUNB portal, but will not include a mass email component.

May 3, 2013 ‐ Terry Nikkel and David Shipley, ITS