Neil Turner's Blog

Blogging about technology and randomness since 2002

Error is between user and keyboard

We’re having some email problems at work, which I feel are worthy of a blog entry. I normally don’t talk about what goes on at work, partly through a matter of personal policy but also because I don’t want to be seen as a spokesperson for my employer. So the entry comes with the usual disclaimer – nothing written here necessarily represents the view of the University of Bradford and it should not be treated as such.
Anyway, we have email problems. Essentially most of the big email providers – AOL, Yahoo, Hotmail, Gmail and some others – now block all email sent from the university as of last week, which is obviously a big problem. From what I can gather, however, it came about through social engineering. Essentially blanket messages were sent to university accounts, asking users to ‘verify their account details’ – of course, these weren’t sent by the university and allowed those outside the university to gain access to the university systems.
This is where I begin guessing, but I know for a fact that the university’s mail servers are accessible off-campus (and outside the university subnet) with a username and password, and so I imagine that the stolen account details were then used for sending spam message by the virtual truckload, which then got the university banned.
It has come at what is possibly the worst time, because right now we are sending emails to new students starting in September with enrolment information. Any emails that come back undelivered will trigger a letter that is sent by post, but it’s an additional expense for us. And next week is when most students get their results.
Apparently we can expect to be unblocked from most services if there is no spam from us for a week, so hopefully things will be back to normal soon.

4 Comments

  1. We had the same problem at Riseup this week, a user fell for a phishing scam and so thousands of spam emails were sent out through their account. Our mail server got onto a blacklist (just one – Lashback), and so we started seeing blocks by MSN/Hotmail and Indymedia(!) We’ve also seen blocks by Yahoo in the past, quite frequently in fact.
    At first I’d assumed that our issue was out of malice, an attempt at getting Riseup blocked rather than an attempt at sending spam. But given it’s happened to you too, then it may well be just people trying to send spam and that they’ve gone back to trying social engineering again now that more and more people have antivirus software. That and the fact that an authenticated email account is less likely to be detected as spam than a botnet.
    I notice from digging the university’s mx records that they’ve been changed recently, maybe in an attempt at circumventing the blocks? In large organisations where you have spare IP addresses then that’s fine to try, and may sometimes work, but when you’re running on the absolute minimum you’ve just got to work through getting unblocked.

  2. My employer (another ac.uk) has just come off a few blacklists too, due to a slightly different spamming issue.
    A problem was that staff members’ out-of-office replies were acting as a rather efficient spam-forwarding service: spammers had faked the original ‘From:’ addresses, so we were ‘returning’ spam to innocent parties, who understandably complained.
    The outcome is that the entire out-of-office reply functionality has been removed from the external mail system.

  3. What could be an idea is for staff members to have a seperate outbound mailserver than students (on a different IP address) – so if the students one gets blocked, then the university can continue communicating.

  4. It’s a good idea, Richy, but in this case the stolen account details were those of a member of staff. I suppose we could have then used the ‘student’ mail server but it would still be an inconvenience.