3. Spammers abusing your webmail and/or remote message submission service using phished credentials.
I'll admit .. this has happened a few times too. Usually we see the incoming phish attempt and configure an outbound block for RE: (same subject) and it never fails .. we catch at least one person that responds. We've seriously considered sending our own phishing emails with a link that automatically disables anyone's account if they click it.
If your incoming spam blocks are effective then forwarding shouldn't be too much of a problem.
Never-ending game of cat & mouse. Our volume is 1.5-2m msg/day, and I'd say we catch ~95% of it .. but when a batch gets through and a third of our students have mail forwarded to Yahoo, from Yahoo's point-of-view, they just got 10,000 spam from our IPs.
For on-campus bots, block port 25 and ensure your MX servers can't be used as outgoing relays
We do that, as well as run daily reports on outbound ACL denies to see who's been compromised (or being naughty on purpose).
(i.e. put your outgoing relay service on a separate address). If you are lucky your colleagues chose a really obscure name (not mail.* or smtp.* etc.)
They did.
To protect against phished accounts, apply rate-limits to outgoing email. If you have good on-campus security hygeine then you can be much less strict about the limits for on-campus connections.
Anyone know how to do this in Domino off-hand? (without sending IBM a fat check) .. if so, I'd love to hear about it so I can tell our Lotus admins. Cheers, Michael Holstein Cleveland State University