IT Staff identification?

[netsysadmin]

I know this is not a networking question, though I thought that you may have some ideas about this issue. We are having issues at work with spam that is requesting the users to click a link and enter their username and password or reply back to an email with that info. The emails are constantly changing styles and they are very vague, so they are hard to block with our spam filter.

I am trying to combat this issue from the other direction and be a little proactive. A few ideas I have had so far is email certificates that identify our staff and the validity of our emails. I was also thinking of doing a graphic footer that will be included with any of our emails. Does anyone else have a system on how to identify/verify the IT staff?

Thanks,

John

 

[imagoon]

We have been under this onslaught also. 1st we sent a company wide email about it. One thing we have always done is sign emails with our names and "COMPANY X Service and Support Team." Most of the generic message will just say: The admin, Administrator etc. We point that out. Next we jacked up the settings in Postini which has eliminated a very large chunk. In lotus we also sign the message with our certificates but most end users have no idea what that actually means. Your best bet is to send out messages for awareness and setting the spam blockers for "full onslaught" mode. We also showed a small picture showing how to "show the email address" so they can see it was not from us.

 

[drebo]

Get a better spam filter, if it's THAT important. We use Barracuda's; it is very good, and we have none of these problems with the hundreds of companies we provide spam filtering services for.

 

[netsysadmin]

We have a Barracuda 400. Trust me this emails are very vague and don?t have any signatures to them to block. We would definitely block legitimate emails if we got more aggressive with the filters.

John

 

[drebo]

Are your subscriptions to Barracuda current? If they are not, then I'd suggest renewing them. They are invaluable. Past that, submit the messages to Barracuda.

 

[netsysadmin]

Subscriptions are current. Here is an example of the email below. This one is asking for a reply. No use in blocking the sending IP since it is likely a hacked machine. They are just so generic, how can you block it without catching other legit emails?

John

----------------------------
Dear Subscriber

TERMINATION OF YOUR WEBMAIL ACCOUNT We are currently carrying out an upgrade on our system due to the fact that it has come to our notice that one or more of our subscribers are introducing a very strong virus into our system and it is affecting our network.We are trying to find out the specific person.
For this reason all subscribers are to provide their USER NAME AND PASSWORD for us to verify and have them cleared against this virus.
Failure to comply will lead to the termination of your Account in the next 48 hours.

Information to send;
EMAIL ADDRESS:
USERNAME:
PASSWORD:

Hoping to serve you better.
Sincerely,
WEBMAIL SUPPORT
-------------------------------

 

[HappyPuppy]

If I received an email like that I would immediately forward it to IT, or at least make them aware of it. I wouldn't even consider responding. Then again, most users are sheeple.

 

[Pheran]

Besides blocking the emails, which is a good idea if it's possible, another option is to try to nail this on the backside (the web piece). If you've got a web proxy appliance with smart filters (e.g. Blue Coat) you may be able to stop people from getting to those bogus web forms. If your spam filter supports reputation/blacklist filters for originating mail servers, I would check if that is enabled as well.

Another option is to do some user security awareness training telling them they should never respond to crap like that (with examples), but there will always be a few dumb ones who do it anyway. It is also important that the IT department thinks about the type of email they send out - IT should never, ever send out anything that could even remotely be construed as a phishing email, otherwise you are training the users to respond to them.

 

[Emulex]

given that you can be pinpoint targeted for phish attacks, it is possible that the best webfilter in the world could get through.

As you raise you trust in your filtering solution you may let down your guards.

I'd agree that it is best policy to train your employees to be paranoid.

Protect them as best you can but an ounce of prevention goes a long way here. If it takes you a few minutes to draft an email about what the latest spam/phish are then that is time well spent. compared to having to re-image a machine or having personal/business data stolen.

 

[netsysadmin]

Unfortunately, we dont have a web proxy box. Our spam filters are using reputation lists and blacklists so we have that covered. they are just not fast enough to keep up with the changes in the phishing emails.

We do educate the user's, but that doesnt mean they are always going to do what we ask them to do. We have a lot of user's here and it just takes one not paying attention to get us. That is the reason I am looking for a proactive solution to help the situation as much as possible.

John

Originally posted by: Pheran
Besides blocking the emails, which is a good idea if it's possible, another option is to try to nail this on the backside (the web piece). If you've got a web proxy appliance with smart filters (e.g. Blue Coat) you may be able to stop people from getting to those bogus web forms. If your spam filter supports reputation/blacklist filters for originating mail servers, I would check if that is enabled as well.

Another option is to do some user security awareness training telling them they should never respond to crap like that (with examples), but there will always be a few dumb ones who do it anyway. It is also important that the IT department thinks about the type of email they send out - IT should never, ever send out anything that could even remotely be construed as a phishing email, otherwise you are training the users to respond to them.

 

[netsysadmin]

Agree 100%!! We often take the offending emails and send them out as examples to educate the users. At this point I still feel were are open, just takes one user. i want to add to our protection, even if it is a simple solution.

John

Originally posted by: Emulex
given that you can be pinpoint targeted for phish attacks, it is possible that the best webfilter in the world could get through.

As you raise you trust in your filtering solution you may let down your guards.

I'd agree that it is best policy to train your employees to be paranoid.

Protect them as best you can but an ounce of prevention goes a long way here. If it takes you a few minutes to draft an email about what the latest spam/phish are then that is time well spent. compared to having to re-image a machine or having personal/business data stolen.

 

[Emulex]

there is that extra paranoid list that works well i think it is called clamav-unofficial-signatures-3.6 and it is what barracuda uses too. it is extremely effective. However it can quadruple the cpu load to process large attachments. so a 10 second scan on a 20 meg email can span out to 40 seconds. enough of these emails at the same time can cause smtp timeouts and requeue's which will cause doubles/triples/delays of receipt.

i run this on a celeron-2.4 i built about 6 years ago (spamass/clamav) and its just now getting too slow. might be time to upgrade the two clamav/spamass servers.

throw them into a vm

 

[cmetz]

netsysadmin, first off, you need a clear sender identity for legitimate IT emails. Many organizations set up a role account for this, and then make it clear that ONLY emails from that account are from your IT staff. Depending on email client, you might also be able to use certs or something similar to authenticate inside vs. outside users, or you may be able to bring to the user's attention that emails came from outside your network / the public Internet rather than inside your network.

You have to make the distinction between legitimate inside sender and (unauthenticated) outside sender idiot proof.

Also, you might consider defanging links in emails. I can't think of any legitimate reason why I would ever want to click directly on a link that came in from some email. If it's legitimate, I'll cut and paste it, thanks. I want to see that link in its entirely, and I want it to require extra effort. Especially in a business setting, links in emails are very much the exception.

Where I can, I go one step further, and plain-text-ize emails from outside. Take a look at demime and mimedefang. Public Internet email should be plain text, maybe with some attachments (grumble). If there's a bunch of HTML, odds are that it's either from Outlook (in which case it's really plain text, just encoded to waste bandwidth), it's spam, or it's malicious. In all three cases, converting it to plain text is a win.

 

[SammyJr]

Originally posted by: netsysadmin
I know this is not a networking question, though I thought that you may have some ideas about this issue. We are having issues at work with spam that is requesting the users to click a link and enter their username and password or reply back to an email with that info. The emails are constantly changing styles and they are very vague, so they are hard to block with our spam filter.

I am trying to combat this issue from the other direction and be a little proactive. A few ideas I have had so far is email certificates that identify our staff and the validity of our emails. I was also thinking of doing a graphic footer that will be included with any of our emails. Does anyone else have a system on how to identify/verify the IT staff?

We only have 4 people and we only ask for passwords in email if we have previously spoken to the user on the issue. Otherwise, we'll call them and ask. They know our voices by now. Tight knit place.

 

[Rudy Toody]

I once worked for a company of about 60 employees who were notified by IT about a potential email that was making the internet rounds. IT could not block it because non had been received yet. The first email to hit the company landed in the owner's mail box. He not only responded to it, he forwarded it to all employees with a message that it was important and everyone should respond to it. He brought down all but 2 computers in the company. Mine, because I was working nights that week, and the IT gurus computer because he knew better. It took IT over a week to clean up the mess.