Someone gave away a password and Cornell email was blacklisted
By Bill Steele
You may have received emails claiming to be from the Internal Revenue Service with subjects like "Notice of unreported income" or "Your tax return has been delayed." These lead to websites where you are asked to enter your name, address, social security number and more.
All the stuff a criminal needs to steal your identity.
Or, the message may come with an attachment that installs malware to log your keystrokes -- including usernames and passwords -- or enlist your computer in a "botnet" that sends out more spam and viruses while you're home in bed.
An intruder doesn't need to take over a computer to send spam from a Cornell address. If a user can be tricked into giving away a NetID and password, the spammer can send mail directly through Cornell servers. Some people use the same password to log on at Cornell and other sites. Since the username for many sites is your email address, someone who hacks the site and obtains its passwords has the combination to hijack Cornell email. Compromised accounts are a much more common path for spamming than hacked computers, according to Wyman Miles, director of IT security for Cornell Information Technologies (CIT). He noted that using your NetID password for other sites violates university policy.
Last week an intruder managed to send thousands of spam emails out of Cornell. "When a computer or an email account is compromised it can send 10,000 to 20,000 emails an hour," said Chuck Boeheim, who manages the CIT email team. "When we detect an outgoing stream, the team responds by shutting it off as quickly as we can," he explained, "but by the time a human can notice and shut it down, enough has already gone out that the damage is done."
The "damage" is that Internet service providers (ISPs) identify mail coming from a Cornell server as spam, and all mail from our server is blacklisted. Cornell users trying to send legitimate email receive bounce messages saying their mail was rejected as spam.
Last week's incident triggered rejection by SpamCop, a service that filters messages for many smaller ISPs. Larger ISPs such as AOL, Time Warner or Comcast do their own filtering and sometimes block Cornell for the same reason. When that happens, Boeheim's team contacts the ISP and arranges to restore service. The blockage can last from an hour to a day, and in some cases can be terribly costly, as when a faculty member misses the deadline for a grant application.
Even though folks in the Cornell community are smarter than average, some still fall for "phishing" scams, like the current batch keyed to tax season. Such messages used to contain obvious tipoffs, but scammers have become more sophisticated. A message may contain a real IRS logo or the logo of your bank or credit card company, with URLs like "123.456.789.012/IRS.gov.html." That's not an IRS site; it's just a Web page with "IRS" in its filename. If you think something might be legitimate, look up the address and type it directly into your browser.
Learn more about securing your computer and your identity at http://www.it.cornell.edu/security/safety/index.cfm and see a report on the current IRS scams at http://www.it.cornell.edu/services/alert.cfm?id=1932.
Media Contact
Get Cornell news delivered right to your inbox.
Subscribe