Steps to follow regarding phishing attacks or computer sending spam emails.
Email is running slow or call from Cathy Taylor (IPD) regarding their email delivery.
Or someone calls stating that they sent their password and ID to someone.
These are the steps to resolve the problem.
- Go to Queue Viewer if you do not know the offender's name
- Check average number in queue
- Average is 40 - 90
- Anything over 200 is usually a sign of trouble.
- If it takes more than a minute to open Queue Viewer you have a problem
- We have seen more than 80,000 in the queue.
- If you know who the offender is you change password immediately.
- Filter on person's name
- Change password
- Go to Account tab and set account to expire yesterday
- Go to Exchange Features tab and disable features
- Disable account in Active Directory
- In Queue Viewer highlight and suspend the larger queues like comcast until you finish with step 4
- In Queue Viewer filter on this account name
- Ctl A to select all
- RIght Click and choose option "delete without NDR" (Non-deliverable receipt)
- Repeat until queue stops filling with email (this can take up to an hour or more).
- Security (Bill Maki) notifies user
- Tell user about the change of password
- Remind them to change this password wherever it is used
- Check the super user exchange account to do the following:
- Access the users mailbox.
- Look for rules, forwarding, signature and out of office changes on this account.
- Review deleted items for valid messages that need to be in the inbox.
- Hard delete NDRs from deleted items (or wherever else they may be) by sorting and selecting those NDR messages using Shift Delete (Warning - error on the side of not deleting a good message).
- In Active Directory re-enable the account
- Security notifies the user that the account is now available to them.
- Kelvin should send message to campus reminding them of the university position on responding to bogus email.
- Check for any blacklisting that may have transpired