Home » Defense in Depth

Your Mailbox Is Over Quota

Posted 27 Aug 2011 | Comments Off on Your Mailbox Is Over Quota | 1,963 views

Your mailbox is over quota. At least, that is what the sender wants you to believe. The email typically contains a dire warning that your email will be cutoff unless you follow the link and re-verify your account.

Unfortunately, the email is a scam. The email is a phishing attempt to collect login credentials for future use. The link in the email points to website which is not controlled by the email service provider. Usually the websites are horribly obvious fakes; however, sometimes the phisher takes time to clone the service providers web pages to provide a more realistic phish. Once a user has fallen for a phish, the login credentials are used in a spam campaign or stealthily used as stepping stone in an advanced persistent threat (APT).

When the compromised account is used in a spamming campaign, the email is much more difficult to block. Large organizations that rely reputation services are caught off guard because the spammer is using an account which has already passed the security perimeter and is completely white listed or sending under relaxed filter rules. Antivirus software is a essentially useless because the email does not directly contain anything that is inherently malicious.  If the compromised account is used as part of an APT, the account owner or IT department may not discover the malicious use for quite a while.

A layered defense is always most effective. User education is layer one. Account owners need to be reminded that their email service provider or their IT department will never ask for their password. Train users to verify communications thought proper channels. Instead of following the link in the email, the user should go directly to their service providers website for information. Reputation services are a good second layer. All of the major browsers include URL filtering functions. Some antivirus vendors also provide browser plugins. Layer three is separation. When possible, use different passwords for different sites or use two factor authentication.

When in doubt, delay and contact your service provider or IT department. A little extra caution is safer that any side affects from any dire warnings in the phish email.

Comments are closed.