[unisog] AOL and forwarding

Lois Lehman LOIS.LEHMAN at asu.edu
Fri Oct 7 16:42:14 GMT 2005


If you want to track the volume and incidence of spam e-mail from your
site, you can do that at www.senderbase.org and search on your domain,
e.g. asu.edu.  You can also see what organizations have blocked a
specific IP.  

Lois Lehman
College of Liberal Arts & Sciences IT
Computing Manager
Information Assurance Coordinator
Arizona State University
480-965-3139


-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Dave Dittrich
Sent: Friday, October 07, 2005 9:27 AM
To: UNIversity Security Operations Group
Subject: Re: [unisog] AOL and forwarding

> We reject some 50% of mail as spam or virus.  Some colleges do not
reject
> spam at all, but just mark it, and if we did that we'd be sending AOL
even
> more spam than we do.
>
> Or do we forward much more mail to AOL than most places?  One reason
we
> might is that we run an alumni forwarding service on the main mail
system.
> Alumni get as much spam as anybody but it's not balanced by much mail
> from our own users, so their percent must be pretty high.

Joseph,

Your problem may be with spambots.  Programs like Agobot/Phatbot have
built in checks to see if they are able to spam AOL, and if so, they
do it very agressively.  They know how to fake several SMTP servers,
to try to bypass filters, and do their own relaying (or can proxy
through other hosts), so they bypass your own email infrastructure and
filters.  If you have some way of monitoring flows to AOL servers, and
watch for high volumes (either connections or total bytes), you may
find these spambots.  (Make sure to protect your user's privacy while
doing this.  As you know, if you don't do anything they may lose email
access, so careful and ethical monitoring benefits them more than it
threatens their privacy.)

--
Dave Dittrich                           Information Assurance
Researcher,
dittrich at u.washington.edu               The iSchool
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE97 0C57 0843 F3EB 49A1  0CD0 8E0C D0BE C838 CCB5
_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog



More information about the unisog mailing list