E-mail Disrupted on Friday
Spam From Hacked Accounts Gets MIT Server Blocked
By Nick Bushak
Thousands of spam messages were sent using compromised Athena accounts early in the morning on Friday, Oct. 6, delaying some outgoing mail delivery.
Network administrators discovered the intrusion when they noticed that the server responsible for outgoing authenticated mail was under unusually high load late at night. They found the e-mail server attempting to deliver thousands of spam messages.
As a result of the intrusion, the server responsible for outgoing authenticated mail was put on a number of blacklists, including spamcop.net, listing servers known to send spam, according to Jeffrey I. Schiller ’79, the network manager for Information Services & Technology. Other e-mail services like Yahoo, Gmail, and Hotmail use such blacklists to automatically reject incoming mail coming from e-mail servers known to be sending spam.
Although IS&T is not sure which e-mail services use specific blacklists, messages sent from MIT were rejected by some e-mail servers on Friday. According to Schiller, the MIT server was quickly removed from the blacklists before noon on Friday, and the e-mail problems had cleared up later in the day as blacklists updated their records.
Hackers compromised a couple of Athena accounts, using the usernames and passwords to send e-mail via the Webmail system, according to Schiller. This is the first time that MIT had seen such an attack where spammers used the authenticated e-mail server, requiring a valid Athena username and password, to send spam. Particularly interesting is that the spammers tailor-made a bot to utilize the Webmail system to send the spam.
IS&T does not know how the hackers got a hold of the Athena usernames and passwords used to send the spam. The accounts could have been compromised by a variety of techniques, including keystroke loggers installed by hackers on users’ computers or interception of the passwords over a network, Schiller said.
IS&T is considering several options to reduce the risk of a similar attack occurring again. Because the attackers created a custom hack especially designed for MIT, Schiller states that, “Now that they’ve found us, they will be back again.”
Among the options being considered to reduce further risk are a rate limit for sending mail via the authenticated mail server and a CAPTCHA field used during login to the Webmail system. A CAPTCHA field would confirm that a user is a person, and not an automated program. It would require the user to type a combination of letters and/or numbers found in an image before logging on to the Webmail system.