Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fortune 1000 Companies Sending Spam, Phishing

Posted by CowboyNeal on from the unwitting-accomplices dept.

An anonymous reader writes "The Register takes a look at spam touting everything from Viagra to phishing sites being sent from Fortune 1000 networks. Oracle was found to have a machine pushing out a PayPal phishing scam, and BestBuy had a system sending thousands of spams a month. The Washington Post's Security Fix blog also is tracking this story, finding stock spam being pumped from ExxonMobile and from American Electric Power, among others. Another machine at IndyMac Bank was the source of spam touting generic prescription drugs. From the story: '...an IT engineer with American Electric Power, said the stock spam came from a bot-infected computer belonging to a contractor at one of its power generator plants.'"

4 of 117 comments (clear)

  1. They have usernames/passwords, right? by khasim · · Score: 5, Insightful

    Port 25 is usually for server to server SMTP transmissions.

    If you're an end user, you should have a username/password and be using port 465 or 587 (or whatever your email admin setup).

    That is why companies should block outgoing port 25 connections from everything except there own mail servers.

  2. Re:Companies can restrict outbound port 25 connect by db32 · · Score: 5, Insightful

    I seriously hope you are being sarcastic. If I ran across a firewall admin on any corporate network allowing outbound 25 from anything but the corporate email servers I would suggest canning their asses in a heartbeat. It is just stupid on so many levels. First of all checking personal email from work should be on the top 10 things of "you aren't allowed to use the corporate network for this", beyond that, outbound 25 has precious little to do with that anyways, unless they are running an email server on the corporate network in which case that should be #0 on the list since #1 assumes that your employees aren't stupid enough to use your corporate resources to run personal servers, either way a good firing would fix that in a hurry. Honestly, since most corporate networks these days are using exchange boxes, they shouldn't even really be allowing outbound 25 from ANYTHING on the internal network. A good admin will have a secured relay be it part of the firewall or a sun box or something other than allowing the win/exchange boxes from talking directly to the net.

    You can argue morale issues until you are blue in the face, network security should trump that in 99% of those cases. The enterprise network exists for the sole benefit of the enterprise. Personal email, instant messages, myspace, what the hell ever, has a risk that FAR outweighs any potential benefit. If your employees can't leave their email/myspace/im friends for 8hrs a day you should probably find employees who can. There is plenty of websurfing around that doesn't involve grotesque breeches of security to keep people entertained while they are being productive. If the company is paying you so little that you can't afford your own internet access you should probably find a new job.

    --
    The only change I can believe in is what I find in my couch cushions.
  3. Re:Companies can restrict outbound port 25 connect by paeanblack · · Score: 5, Insightful

    You can argue morale issues until you are blue in the face, network security should trump that in 99% of those cases.

    That's a classic example of IT narrowmindedness. If the employees no longer care, no technical measures will secure your data. Security is everybody's business, not just yours. People will naturally protect that which they care about. No morale = no security.

    As you seem to be from the school of "a good firing will fix anything". Hopefully for your own sake your boss wises up and uses a 'good firing' to adjust your attitude, because I doubt anything else will penetrate that skull.

  4. Re:Actually, here's the complementary thought by lukas84 · · Score: 5, Insightful

    The problem is, that the whole story is two sided.

    It's very hard to maintain an open attitude when working in IT. Especially when you're doing Internal IT only (i mostly work for our customers, and do our internal IT as a side job).

    People fuck up, and are afraid of the consequences when they fucked up - thus they will try to find something else to blame.

    IT People fuck up too, and are afraid of the consequences when they fucked up - thus they try to find someone else to blame.

    The consequences are that Users and IT People don't trust each other. And this is bad, very bad.

    IT is something to make your users more productive, and help them to get their work done faster. A restrictive policy usually won't help you with that. My company has a very open IT policy - and i think it helps with both morale and problem resolution.

    We even allow our employees to plug their own laptops into the company network. Yes, it's risky. But the problems incurred and benefits reaped are a better than properly securing this (e.G. buying 802.1x switches and segmenting clients into VLANs according to their identification).

    Remember - IT is an internal service to make the company work better. IT is not an end, it's a means to achieve an end faster. You as an IT guy should think about "how do we get our employees to be more productive" and not "how do we restrict them as much as possible so that i can sit around and read dilbert all day long".