Information Technology Systems and Services.
ITSS home


Technology news for UMD faculty, staff and students

Phishing and Password Security: Anatomy of an Email Slowdown

Compromised email accounts were the culprit in last summer's email slowdown.

The email slowdown that happened at UMD this past summer was the result of a few email accounts that were compromised (not any system or server security issue). These accounts were used to send 500,000 spam emails which were stopped by our spam filtering process. The server that does that was overwhelmed and had to be restarted. We've since taken action to improve monitoring of that server and automated a restart procedure if this sort of issue happens again.

We do a lot of things to try to prevent accounts from being compromised, such as closing accounts that go unused (e.g. from admitted students who never attend UMD, Alumni who cease using accounts, etc.). We also require passwords that include both uppercase and lowercase characters and numbers.

Additionally, we limit the access of accounts to few of our systems so that if they are compromised, they can't do as much harm.

Accounts typically get compromised in one of two ways: Phishing scams, or other accidental disclosure of passwords (often called "Social Engineering").

Phishing scams are typically fraudulent email messages appearing to come from legitimate enterprises (e.g., your university, your Internet service provider, your bank). These messages usually direct you to a spoofed web site or otherwise get you to divulge private information (e.g., pass phrase, credit card, or other account updates). The perpetrators then use this private information to commit identity theft.

The University and other reputable organizations will never use email to request that you reply with your pass phrase, Social Security number, or confidential personal information. Be suspicious of any email message that asks you to enter or verify personal information, through a web site or by replying to the message itself. Never reply to or click the links in a message. If you think the message may be legitimate, go directly to the company's web site (i.e., type the real URL into your browser) or contact the company to see if you really do need to take the action described in the email message.

The second most common way to have your account compromised is by choosing a bad password or obvious security questions that can be used to reset your password. For instance, if you are on a nationally televised reality show and you call your dog by name on that broadcast, don't use your dog's name as a security question in your online photo vault. A good password should not be guessable by others. Punctuation and special characters help make the password more complex and difficult to break. Passwords must contain upper case letters, lower case letters, and punctuation/special characters. Adding numbers is also a good idea.

The Safe Computing Web site explains phishing and other safe computing issues in further depth.