Home > Forms and Procedures > Procedures > UIT Procedures > Phishing Attack

Phishing Attack

Overview

Steps to follow regarding phishing attacks or computer sending spam emails.

Symptoms

Email is running slow or call from Cathy Taylor (IPD) regarding their email delivery.

Or someone calls stating that they sent their password and ID to someone. 

Resolution

These are the steps to resolve the problem.

  1. Go to Queue Viewer if you do not know the offender's name
    1. Check average number in queue
    2. Average is 40 - 90
    3. Anything over 200 is usually a sign of trouble.
      1. If it takes more than a minute to open Queue Viewer you have a problem
      2. We have seen more than 80,000 in the queue.
  2. If you know who the offender is you change password immediately.
  3. Filter on person's name
    1. Change password
    2. Go to Account tab and set account to expire yesterday
    3. Go to Exchange Features tab and disable features
    4. Disable account in Active Directory
    5. In Queue Viewer highlight and suspend the larger queues like comcast until you finish with step 4
  4. In Queue Viewer filter on this account name
    1. Ctl A to select all
    2. RIght Click and choose option "delete without NDR" (Non-deliverable receipt)
    3. Repeat until queue stops filling with email (this can take up to an hour or more).
  5. Security (Bill Maki) notifies user
    1. Tell user about the change of password
    2. Remind them to change this password wherever it is used
  6. Check the super user exchange account to do the following:
    1. Access the users mailbox.
    2. Look for rules, forwarding, signature and out of office changes on this account.
    3. Review deleted items for valid messages that need to be in the inbox.
    4. Hard delete NDRs from deleted items (or wherever else they may be) by sorting and selecting those NDR messages using Shift Delete (Warning - error on the side of not deleting a good message).
  7. In Active Directory re-enable the account
  8. Security notifies the user that the account is now available to them.
  9. Kelvin should send message to campus reminding them of the university position on responding to bogus email.
  10. Check for any blacklisting that may have transpired
You must to post a comment.
Last modified
15:58, 14 Aug 2014

Tags

This page has no custom tags.

Classifications

This page has no classifications.