noticeboard.ru.ac.za

2008/11/05 - Change In Mail Submission Policy
We've recently introduced a rate limit on outgoing e-mail sent via mail.ru.ac.za. Users of our webmail client can send e-mail to no more than a hundred recipients every hour, and people who use other e-mail clients can send e-mail to no more than a hundred recipients every half an hour. (Each e-mail address in the To:, Cc: or Bcc: field of an e-mail counts as a recipient, so the webmail limit means a hundred messages each with one recipient or ten messages each each with ten recipients, etc).

We've been monitoring the volumes of e-mail sent over the last few days and a few people will very occasionally hit the rate limits. For the most part, this change will not affect people -- the limit of 100 recipients every 30 minutes is fairly generous, and you're unlikely to hit it with normal use.

If you do hit the rate limit when sending e-mail, the mail servers will temporarily refuse to accept mail from you. Depending on what e-mail client you do, you'll either see this as an error message or your client will simply re-queue the message and try again later. Either way, the solution is to wait at least half an hour and then re-send the message. Note that this may require that you close your e-mail client, wait half an hour, and then re-open it (this depends on how your client is configured to retry sending messages).
The primary reason we've introduced this change is to mitigate some of the risks posed by compromised user accounts. The precipitating factor was that over the course of the last weekend, several Rhodes users had their accounts compromised after they naively revealed their username and password to a spammer in a phishing scam.

The scam in question was a web site residing off-site (specifically at http://ru.ac.za.technical-supports.com/) that was set up to mimic the University's normal webmail client. A screenshot of the site is shown below:



The users who fell for the scam did not verify that the site they were visiting was actually at Rhodes (technical-supports.com obviously isn't ru.ac.za), or that it was a secure site. These mistakes are shown in red on the screenshot above. Because the site looked like Rhodes' site, they entered their Rhodes credentials and consequently gave them to the attackers. This is exactly the same sort of confidence tricks and identity fraud that affects users of Internet banking sites.

As a direct consequence of this, over the course of six hours on Sunday morning approximately 44,000 SPAM messages were sent from a Rhodes user's e-mail account to various recipients worldwide. Predictably, this got the University's e-mail servers blacklisted as a known originator of unsolicited e-mail. At present the University is still blacklisted by a number of sites, most notably Yahoo! mail.

The change we've just made will reduce the impact of such an event (it'd now take eighteen days to send the same volume of mail that was sent in six hours on Sunday). It will not, however, prevent such phishing attempts from happening again, nor will it mitigate the risk of confidential or personal information being leaked. Users are strongly encouraged to make sure the carefully validate any web site where that asks for personal information such as banking details, usernames and passwords, or identity information.
post.5530573