Tuesday, January 24, 2012

Some Calvin e-mail accounts compromised

Calvin community member,

Near the end of last week CIT discovered a handful of Calvin student and faculty / staff email accounts that were delivering spam email across the internet. As a result you may have noticed delayed email delivery or email that was being returned to you and designated as undeliverable. CIT was able to diligently contain over one million spam messages from reaching their intended destinations. Unfortunately enough spam messages were delivered from calvin.edu addresses such that other email services on the internet flagged the calvin.edu domain as suspect. As a result mail providers such as Comcast and AOL were not delivering calvin.edu email to their customers for a period of time. In addition due to the large volume of spam our mail delivery server was over loaded and legitimate email was not delivered in a timely fashion. CIT and Information Security are monitoring this situation closely and doing their best to limit damage and loss of productivity.

None of the Calvin email account holders were purposely delivering spam. Rather their accounts were being abused by someone else to propagate massive amounts of spam across the internet. One of the most common ways this happens is through email phishing in which passwords are acquired from the account holder.

Your Calvin passphrase unlocks all kinds of sensitive information. Such information includes private and confidential information, intellectual property, and College proprietary information. It is important that you always protect your Calvin passphrase, and never give it to anyone. Furthermore, Calvin employees will never ask you for your passphrase; especially in an email (see http://www.calvin.edu/it/policies/AUP.pdf).

If you suspect that your passphrase has been compromised or you willingly made it known to someone, it is your responsibility to change your passphrase immediately. It is easily done from the link on the Calvin College portal login page (https://www.calvin.edu/cgi-bin/chpass.pl). Although we enforce an annual passphrase change there is no harm in changing your passphrase more regularly as a good security measure. This is especially prudent after a security incident.

CIT and Information Security have worked hard in the background to minimize the effects of this incident to you. Please continue to partner with us in maintaining a safe and secure computing environment here at Calvin.

For more information on phishing please read the following article: Cyber Security 2011: Phishing Attacks

Adam P. Vedra
Information Security Officer
Calvin College