Monday, June 8, 2015

Reporting Phishing/Spam from .edu Addresses

Today I received a standard phishing (credential theft attempt) e-mail, the kind I wrote about in Mark Junk/Phishing Mail as Spam. However, this message claimed to originate from a .edu e-mail address. So, I went to that university's web site and looked for a contact e-mail. I then sent a message of the following form to that address, CC'd to abuse@[domain].edu:

Hello, 
I received the below e-mail that claims to have been sent from a [institution] address. It is a standard phishing/scam attempt; I have no doubt that the linked page will attempt to either drop malware or present a fake login screen to steal credentials. 
If the e-mail was indeed sent from that account, its user has probably been infected and the account hijacked by an e-mail worm. If the message did not originate from your servers, you might want to look into SPF to ensure nobody can impersonate your users. 
Sincerely, 
[Name]

A few hours later, I received a thankful reply from the Enterprise Security person at that institution. The account had indeed been compromised; the situation has now been dealt with.

So, new task for good Internet citizens: notify educational institutions of spam from their domain. Feel free to copy and fill in the above note if you receive such messages.