Reducing the impact of phishing: New outbound e-mail throttles

Published: Aug. 21, 2013

E-mail phishing is a significant and growing problem for CU-Boulder. Recently, the CU-Boulder campus has seen an increase in the number of accounts compromised by phishing attempts. In addition, the reaction times of e-mail service providers have become much faster for blocking e-mail from institutions with compromised e-mail accounts. A compromised account often sends in excess of 100,000 e-mail messages which quickly hurts the e-mail reputation of the @Colorado.EDU domain and adds the domain to various e-mail block lists. When the @Colorado.EDU domain gets blocked, e-mail providers like Google, Yahoo, Comcast and others delay or reject delivery of messages from all @Colorado.EDU addresses. The Office of Information Technology (OIT) works to quickly identify and remediate compromised accounts but, once our domain has already been blocked, it can take hours or even days before the block is lifted.

CU-Boulder has long allowed the sending of outbound e-mail to the Internet without any restrictions. Due to the increased occurrence and impact of accounts compromised by e-mail phishing, CU-Boulder can no longer let an unlimited flow of outbound e-mail occur without risking the integrity of the entire e-mail communication environment. Instead, we are now institutionalizing throttling limits that will not impact standard, general purpose communication. If there are legitimate business reasons for sending large quantities of e-mail, an exception can quickly be granted.

In order to proactively manage the impact these phishing message have on this campus, OIT will set a limit for outbound e-mail messages to 400 recipients per hour/per account starting on Thursday, Aug. 22. Setting this limit will stop the flood of outbound e-mails when an account is compromised while not affecting delivery for the vast majority of campus e-mail account owners. E-mails sent from a single account that exceed the 400 recipient limit will be held in e-mail queues allowing OIT an opportunity to clean up compromised accounts before the e-mail escapes to the Internet. This new procedure will only delay, not deny, delivery of messages unless it becomes clear that the messages are illegitimate.

Campus bulk messaging services like Listproc, Sympa Course Rosters and CU-Boulder Today (Harris Connect) will be exempt from the limit. For those account owners who have a business need for sending large numbers of e-mails as part of normal operating procedures, an exception request process has been put into place. To request an exception, please contact the IT Service Center at or call 303-735-4357. 

OIT has determined these new e-mail outbound sending rates based upon the best practices of other large-scale e-mail providers such as Google and Microsoft. These new limits will protect the continuity of e-mail communication for all CU-Boulder account owners while limiting the impact from compromised accounts. If you have questions about this new limit or about campus e-mail services in general, please contact the IT Service Center at or call 303-735-4357.