Re: Compromised email accounts

On May 21, 7:00 pm, Man Alive <nop...@xxxxxxxxxxx> wrote:
I'm in an IT department in a small community college that offers emails,
wireless, VPN to students.

Lately we have been having spammers access student email accounts and
sending spam. We are researching how the the account details were obtained..

I have looked in the server logs and noticed a number of successful
authentications from a suspicious IP; the authentications were to ~50
accounts. It looked like someone was testing if accounts from a list had
the correct credentials: the authentications were run via script.

Question: Are these type of account details bought and sold? I have a
feeling that someone bought set of college accounts and ran a script to
evaluate which were still working. About a month later the spam started.

I dealt with that while attending MTSU, back in the 1990's. The
problem then was the __stoned__ computer virus.

Most likely these days, and MBR infection would be spread via USB key
drive. Where the guy just pops it in, then walks off.

Check the access times, and see when the boot sector was infected.
Then start tracking.