Re: Compromised email accounts
- From: Hans Wolters <hans@xxxxxxxxxxxxxxx>
- Date: 23 May 2008 21:41:20 GMT
In article <847idndt8p@xxxxxxxxxxxxxxxxx>, Todd H. wrote:
Man Alive <nopsam@xxxxxxxxxxx> writes:
I'm in an IT department in a small community college that offers
emails, wireless, VPN to students.
Lately we have been having spammers access student email accounts and
sending spam. We are researching how the the account details were
I have looked in the server logs and noticed a number of successful
authentications from a suspicious IP; the authentications were to ~50
accounts. It looked like someone was testing if accounts from a list
had the correct credentials: the authentications were run via script.
Question: Are these type of account details bought and sold? I have a
feeling that someone bought set of college accounts and ran a script
to evaluate which were still working. About a month later the spam
What web based email software are you running? Is it or was it
susceptible to SQL injection whereby the attacker may have dumped the
passwords for all email accounts?
It's also possible that keylogging trojans on shared computers mights
be to blame as well.
The first step would be to force a password change on the affected
accounts of course, then keep an eye on things while you try to
figure out how they got the accounts. Patching is one possibility.
Compromised clients are indeed a burdon. Patching might fix it somewhat
but making sure it is secured might be a better solution. Start using
browser certificates might be a start.
I do not think students are selling them, or they should be able to crack
their fellow student accounts. In that case it might be good to look at
the procedure of changing passwords. Do not let people use simple ones.
Good luck, post back.*nod*
- Prev by Date: Re: should I encrypt over a private network?
- Next by Date: Re: should I encrypt over a private network?
- Previous by thread: Re: Compromised email accounts
- Next by thread: should I encrypt over a private network?