There are currently no scheduled or active alerts. Subscribe to Service Alert RSS feed.

View All

Receive Service Alerts Via E-mail

Subscribe to Service Alerts
  • Home
  • Compromised Accoun..

Compromised Accounts, Spam & E-mail Filtering

Last Updated: 09/25/2012

From time to time Internet service providers (ISPs) will block or slow delivery of e-mail sent from our campus. It's also not uncommon for our campus to slow the rate at which we receive e-mail from some ISP’s. Our e-mail being blocked often stems from a handful of @colorado.edu e-mail accounts being compromised and used to relay large amounts of spam. Similar issues with other, off-campus ISPs can cause us to slow the rate at which we receive some e-mail. The CU-Boulder director of IT security, Dan Jones, recently talked about the events that lead to e-mail being blocked, explained how e-mail filtering happens, what the university is doing to address spam and compromised accounts, and provided tips on how you can avoid compromised accounts and the resulting e-mail blocking.

Q: Why do Internet service providers suddenly choose to block e-mail from the campus?

DJ: Usually this occurs when a number of IdentiKey accounts on the Boulder campus are compromised and then used by malicious individuals to connect to the campus e-mail servers and send large amounts of spam. These compromised accounts were likely the fruits of “phishing” e-mails sent to collect usernames, passwords, and other personal information from members of our campus community.

ISPs are constantly monitoring the flow of e-mail to their account owners, and when large amounts of e-mail is received, that have markings of unsolicited bulk messaging or spam, messages from that domain, such as colorado.edu, are flagged for closer analysis. The Office of Information Technology is often able to identify the on-campus source of the spam and disable the accounts, but sometimes not before it reduces our spam reputation. This can result in a number of ISPs increasing the filtering of e-mails sent from the colorado.edu domain and some legitimate messages getting blocked.

Q: What does it mean when an ISP is blocking e-mail from CU-Boulder? How does an ISP decide to block some messages but not others?

DJ: To understand how CU-Boulder and ISPs address spam and malicious e-mail problems, a good analogy is airport security. When the Department of Homeland Security elevates the threat level, screeners at the airport take more time to check passengers, their baggage, and monitor suspicious behavior. The additional checks may result in longer queues, delayed baggage, or missed flights. When a CU-Boulder account is used to send spam, it causes network industry systems that track and publish Internet threat levels to lower our reputation score thus causing ISPs to slow down delivery or even block messages from CU-Boulder accounts. CU-Boulder uses these same industry systems to help determine when we choose to slow down the delivery of or block messages from external domains if they have been the victim of an attack. These systems are in common use globally—when the reputation score for @colorado.edu is lowered, it is lowered globally. It is up to ISPs what action they may then take.

Q: How will I know if my e-mail is blocked by an ISP? Is there anything I can do to make sure my e-mails aren’t blocked?

DJ: Customers will often receive an e-mail from the destination servers indicating that an e-mail was delayed or that it could not be delivered. With the deluge of e-mails that we all deal with, it is easy for many of us to delete these messages without realizing their intent to notify us of something important. We can all be part of the solution by practicing safe computing habits, which prevent accounts from becoming compromised. Do not click on links in e-mails and never share or e-mail your password for any reason.

Q: What is the university doing to assure that our e-mail isn’t blocked by other ISPs?

DJ: The university has several strategies to ensure that our e-mail is not blocked by other ISPs.  The majority of e-mail sent from campus is checked to make sure that it does not contain a virus or is not spam, because these things can lower our reputation. The campus also monitors for signs of intrusion or that accounts have been compromised and acts quickly if accounts are compromised. 

That said, sometimes spam still makes it off campus from compromised accounts. We continually adapt our infrastructure to address new threats to further improve how the system filters messages so we can avoid e-mail being blocked. It might be helpful to understand that in addition to the mainstream (and largest) campus e-mail systems which are provided by OIT (Exchange and CULink), there are hundreds of other smaller e-mail systems across campus, and nearly all e-mail from our campus is viewed by the rest of the world as coming from @colorado.edu.

Q: How do we decide to increase filtering of a certain ISP?

DJ: Universities, corporations, and Internet service providers all use services that track threats across the Internet. These systems collect millions of data points about new threats daily; doing that collection on our own would be cost prohibitive. These data help rank ISPs in terms of their ability to send e-mail that isn’t contaminated with viruses or isn’t spam. These scores are always changing and therefore the amount of e-mail throttling or filtering for a specific ISP is also dynamic. Filtering e-mail is not an on or off proposition. Just as the TSA (hopefully) never completely stops the flow of airport traffic or conversely allows it to go unchecked, all e-mail, regardless of where it originates, is filtered to some degree.

Q: Why don’t you just deliver all the e-mail and let me sort it out?

DJ: Over 80 percent of e-mail destined for the campus is either malicious or spam.  Delivering all the inbound e-mail would overwhelm faculty, staff, and students who would then need to spend much more time sorting through their e-mail. Delivering all inbound e-mail would also cause significant cost, not only due to additional security incidents, but also because additional computing infrastructure would be required to store all these new messages. Therefore, CU-Boulder, like all ISPs, will always do some level of spam filtering before messages reach account owners.

Q: How do I figure into all of this?

DJ: The best way for you to prevent the proliferation of spam and the resulting ISP blocking is to protect your password. Never share your password. CU-Boulder will never ask you to share your password and you should be suspicious of any requests to do so. If you need to, you can reset your password using CU-Boulder Identity Manager at https://cuidm.colorado.edu/. The more aware we are in making good IT security choices, the better. It only takes one person to divulge their password to cause significant problems for everyone on campus. It takes all of us working together to maintain the integrity of the colorado.edu domain and to ensure the reliable delivery and transmission of safe, legitimate e-mail messages.

E-mail and IT Security Resources

You can learn more about protecting your passwords, e-mail and web security, phishing, and other IT security topics at http://oit.colorado.edu/it-security/security-awareness. Information about how the university processes spam can be found at http://oit.colorado.edu/e-mail/spam. If you ever have questions about the legitimacy of an e-mail, or questions about whether e-mail you send or wish to receive is being blocked, please contact the IT Service Center at help@colorado.eduor 303-735-4357(5-HELP from a campus phone). E-mail and phone help is available Mondays through Thursdays, 7:00 a.m. to 10:00 p.m.; Fridays 7:00 a.m. to 7:00 p.m.; and Saturdays and Sundays, noon to 6:00 p.m. Learn more at http://oit.colorado.edu/service-center.