Section: Technology
Campus e-mail targeted by “phishers,” outgoing e-mail may be blocked
Jun 25, 2008

Recently, the Metro State community has been the target of several focused “phishing” attacks, the fraudulent practice of sending e-mail under the guise of a trustworthy entity. Phishing attempts to trick people into revealing confidential information such as passwords and user identification names and numbers.

Misleading e-mails
Phish messages can be very deceptive. “The e-mails often look quite official and employ scare tactics, threatening to close accounts or drop classes if people don’t respond,” said Vice President of Information Technology Carl Powell.

A few individuals from Metro State have, in fact, been tricked into giving out their e-mail passwords. Their Web mail accounts were compromised and used to send out large volumes of spam mail in a short period of time.

“One user’s account sent out more than 80,000 e-mails per day for three days,” Powell said. “This represented 10 percent of the total outgoing e-mail from all faculty, staff and student accounts for the entire month.”

Powell points out that colleges and universities across the country have recently become the focus of these kinds of attacks. “It’s because we have more open access than, for example, a corporation,” he says. But, he adds, the phishing attacks are not currently focused on eliciting financial information, “nor do they pose any threat to the security of college data. They’re really more of a nuisance than anything else, at this point.”

Outgoing e-mails may be blocked
Because of the increased volume in spam mail sent from accounts with the mscd.edu domain, the College e-mail system has “acquired a poor reputation with the rest of the Internet community,” according to Yvonne Flood, assistant vice president of Information Technology.

The fact that so many spam e-mails have been sent from e-mail addresses with the mscd.edu domain may result in the blocking – or rejection by spam filters – of e-mail from Metro State at many external businesses and organizations. If you experience difficulty sending e-mail to addresses that are not associated with Metro State, you may need to telephone the intended recipient and fax any documents to them in lieu of using e-mail.

Corrective steps
Powell says the IT department is undertaking steps to address the phishing nuisance. “First, we’re looking at re-educating users on what phishing is and how to avoid falling prey to it,” he says. “For example, everyone should know that the IT department will never ask for your account number in an e-mail.” Second, the department is contracting with the College’s e-mail software vendor and spam appliance to upgrade systems and beef up filtering rules without impinging on e-mail access.

“While (the IT department) is working diligently to get tools in place that will mitigate outgoing spam mail, raising the Internet reputation for the College will take a few days,” Flood added. “We appreciate everyone’s patience and support as we work through these challenges.”

If anyone has any questions about the validity of an e-mail, Powell says, they should call the IT Help Desk at 1-877-352-7548.

For more information on phishing, go to: http://www.mscd.edu/~infotech/security/info/securitytips.htm