Box of Meat antispam blog has a link to an article on ZDNet: 1.5m spam emails sent from compromised University accounts. Some excerpts:
“Hackers gained access to the University of Otago staff email server recently and used it to send out an estimated 1.55 million spam emails in 60 hours, after tricking four staff members into revealing their login details. The huge volume of spam mail resulted in legitimate emails being rejected or delayed by other systems, information services manager Mike Harte said. They were re-sent once the spam attack was over. The staff members responded to “spear phish” emails which claimed to be from the IT department and asked people to reconfirm their user names and passwords or their email access would be withdrawn.”
The spammers didn’t just abuse the clean IP reputation of the University, they also had its mail servers blacklisted thereby causing a DoS attack to its staff and students.
I can personally confirm that education institutions are one of the worst offenders for having email accounts compromised and then having spammers start spewing out a whole pile of spam through those accounts. The result is that the service’s outbound IPs get tarred and feathered across certain receivers of email and certain blocklists.
I’d like to say that those guys (universities) need to crack down on security and protect their passwords, but it’s a tall order. How do you monitor an entire population of students and faculty? Even if 99.9% of people in a 20,000 person campus keep their passwords secure, there are still 20 people who might hand them over. That’s plenty for a spammer to abuse.