[jacques_chester]

> Train your users where it is and isn't safe to enter credentials.

This demonstrably doesn't work. It reduces but cannot eliminate all instances of phishing.

> Don't give your users credentials. Have some alternate way to authenticate them like a login token.

Better, but scrounging up a few million pounds for dongles, plus the non-stop cost and effort of replacing lost and stolen dongles, is not easy for a university, no matter how famous.

> Put rate limiting on the ability of a single account to send out emails.

Many users have legitimate reasons to send out mass emails.

> Instead of blocking the site that was collecting the credentials, a better solution would have been to remove the email from the mailboxes of all the students.

Phishing emails are often varied into multiple templates to avoid being scrubbed this way.

They also tend to trickle in at random, rather than turning up all at once.

[pfraze]

Here's my suggestion: Rate limit the emails at a very low number, and require higher privileges for sending mass emails which must be granted on a per-mailout basis. Users that know they're going to send out a high volume would get an access token from IT (the process for doing so would have to strike a balance of convenience and security).

[simonw]

Does two-factor auth have to be that expensive to implement these days? I've experimented with building it against Google Authenticator (free, runs on any modern smart phone) and it's ridiculously easy to get up and running - it's a few lines of Python https://github.com/tadeck/onetimepass/blob/master/onetimepas...

Doesn't solve the problem of users without smart phones though, which I imagine is still not ignorable at most universities.

[Major_Grooves]

With Google Apps itself you can print a list of codes to carry with you. Is that possible with the Open Source/Google Authenticator version?

[pja]

Yes, google-authenticator prints out a list of unlock codes when you run it. You can add extra ones to the file it puts in your home directory whenever you want.

[marcloney]

If you place rate limiting on email accounts by default and then for the lower percent of users that need a higher rate do it on a case-by-case basis. In my experience most users that fall victim to these types of phishing attacks do not need to send high volumes of emails.

[jacques_chester]

Oxford already has rate limiting. 1000 messages per hour through their servers, it seems [0].

The next step would be to filter outbound traffic to block SMTP from compromised PCs. It seems they have an outbound firewall, but it's not obvious which ports are closed because the list of blocked ports is ... blocked[1].

[0] http://blogs.oucs.ox.ac.uk/adamweblearn/2011/12/weblearn-una...

[1] http://www.oucs.ox.ac.uk/network/firewall/blocks/

[jebblue]

The 1000 limit seems like a high number, why would a legit user need to send that much email out? I'd think a much smaller number like 5 per hour would be better.

[rmc]

5 per hour

You're a lecturer with 200 people in your class. That's 2 days. Does the lecturer have to leave their computer all the time? Is their email programme going to handle this sort of delay? What do you do if the lecturer wants to send an email about updated homework due in a few days? Some students will have a 2 day head start, is that fair? Do you have to give them extra time/marks?

You're the first year faculty advisor. There are 1,000 people in that year. That's 1 week. Same questions as above.

(And in case you think "Well let the lecturers send more", what makes you think the lecturers aren't the problem in the first place?)

[jacques_chester]

Academics send mass emails.

Calls for Papers / Articles is the classic reason. The IEEE and the ACM might have proper mailing lists for that sort of business ... most academic fields do not.

Edit: I think they could lower the rate more and push mailing lists, but on the other hand a lot of users simply wouldn't notice that they're rate limited. Which could lead to entirely different brand of lulz.

[TeMPOraL]

1000 mails/h is definitely too much - it's 16 mails per minute(!). I think something around 60 - 100 mails per hour is more reasonable, to cater for cases like lots of one-liner exchanges.

[rossjudson]

Just use more than one outbound mail server. All "normal" mail goes through a server that's rate-limited heavily -- a few dozen an hour, at the most. Bulk email has to be sent through a separate outbound mail server, and there can be much more scrutiny on what goes through that -- because the legitimate "mass mailings" are going to be comparatively rare, and are probably worth having someone take a look at them, to make sure they're OK.

[rmc]

Better, but scrounging up a few million pounds for dongles, plus the non-stop cost and effort of replacing lost and stolen dongles, is not easy for a university, no matter how famous.

Additionally, what OSes will these dongles support? Would you rather "Oxford University bans Windows XP"? or "Oxford University bans iPhones"? etc.

[thomaslangston]

Dongles is probably a misnomer here. While dongle probably means something you plug in to authenticate, many two factor auth 'dongles' don't plug in at all. They have a LCD screen that shows a one time use token (6+ digit number) that you enter at the same time as your password.

[Evbn]

USB HID spec is cross platform.

[lhnn]

Verisign "dongles" can come on smartphones of all types, and on many operating systems. I even believe they have browser plugins, meaning even linux would be supported. That is, if you think two-factor is necessary for university systems.

As far as email, there are several things to consider: One, that I would think it a rarity for a student, or even a teacher! to need to send a single email to more than a handful of /external/ email addresses at a time. Put an email firewall in place between your internal and external systems, and have IT security monitor that system for peaks in traffic. Single users sending outbound mail a lot. Obviously, there should be a spam filter going in AND out.

And yes, spam email does trickle in sometimes, and from different SMTP servers, but from the bit I've dealt with them, there are definite patterns that a person can pick up on when they're watching for it.