Today I received a standard phishing (credential theft attempt) e-mail, the kind I wrote about in Mark Junk/Phishing Mail as Spam. However, this message claimed to originate from a .edu e-mail address. So, I went to that university's web site and looked for a contact e-mail. I then sent a message of the following form to that address, CC'd to abuse@[domain].edu:
Hello,
I received the below e-mail that claims to have been sent from a [institution] address. It is a standard phishing/scam attempt; I have no doubt that the linked page will attempt to either drop malware or present a fake login screen to steal credentials.
If the e-mail was indeed sent from that account, its user has probably been infected and the account hijacked by an e-mail worm. If the message did not originate from your servers, you might want to look into SPF to ensure nobody can impersonate your users.
Sincerely,
[Name]
A few hours later, I received a thankful reply from the Enterprise Security person at that institution. The account had indeed been compromised; the situation has now been dealt with.
So, new task for good Internet citizens: notify educational institutions of spam from their domain. Feel free to copy and fill in the above note if you receive such messages.
