‘Any solution will involve user education and some modifications to our email architecture’

Information and Educational Technology sent this letter to technotices on Tuesday, Jan. 6, 2009. It explains the phishing-caused email problem that disrupted outbound campus email at the start of winter quarter, and how IET is responding

Greetings,

The smooth flow of email is critical to the business of the campus and the daily life of our campus community. We understand this and I can assure you that resolving the continuing service problems we have been experiencing with outbound email is, and has been, our highest priority. Unfortunately, due to the nature of the problem, there will be no fast and easy resolution.

The problem is that our email servers are repeatedly getting listed on various Internet Service Providers' (ISP) Real-Time Blocklists (RBLs), which causes their email servers to refuse connections from our servers. RBLs are used by organizations (including UC Davis) to combat the continuous flood of spam. Our email servers are being placed on ISP RBLs because UC Davis accounts are being used by spammers to send spam to those ISPs. The root cause of the problem is that our students, staff, and faculty are responding to phishing messages with their loginID and password. Once the phishers have an account ID and password, they use it to send spam. Every round of phishing messages sent to campus addresses results in a few to dozens of people replying with their loginID and password. When IET detects the compromise, we disable the account. When our servers get listed on an RBL, we request removal. This has been an almost continuous cycle for the past week.

The latest phishing message that made the rounds last night got at least a dozen responses - and that doesn't include any of the student email accounts or anybody using an external SMTP service, because we have no visibility into those services. Any solution will involve user education and some modifications to our email architecture.

This academic year, we have issued several statements through the TSP, Dateline and TechNews articles, and postings on the WWW servers. We have also included a permanent security notice on both CAS and Distauth authentication pages so all users see the message every time they authenticate. We have developed posters about phishing and placed them in Unitrans buses and the MU. Tomorrow [Jan. 7], we will send a message to the entire campus community that will remind them that the campus will never ask for their username and password via telephone or email and that everyone has a part in helping to preserve the integrity of our campus electronic communication resources. We will continue with our education campaign and try different approaches to reach the entire community. This is a community problem and it will require community action to resolve it. We encourage you to continue educating those whom you support about phishing scams.

Please know that we are currently researching and testing technical mitigation measures that include, but are not limited to, monitoring and scanning outgoing email to identify potential spam, rate-limiting outgoing email, and terminating access to Geckomail sooner than originally scheduled for students who have DavisMail accounts. However, none of these measures will be a panacea. Each one has pros and cons, and perhaps unforeseen consequences, so we cannot make any changes without a thorough quality assurance process and vetting the change with the campus community. A rash response could potentially cause much more harm than good.

We realize that sending communications about phishing only adds to your workload - and at a very busy time of the year. To lighten the load just a bit, IET has developed a template for you to modify as appropriate for the people whom you support. We also developed the 8.5x11 inch black-and-white flier that can be put up on department bulletin boards and other appropriate public places. (Find both at security.ucdavis.edu/phishing.)

Regards,
Mark

Mark Stinson
Client Services Manager
Data Center and Client Services
Information and Educational Technology