Hypocrisy

As some of you found out yesterday, our friends in the Microsoft e-mail department "blacklisted" Penn State e-mail. This that e-mail to recipients with .live.com or .hotmail.com addresses was blocked by Microsoft's incoming e-mail servers. The stated reason was too much SPAM originating from .psu.edu to those e-mail addresses.

Here's the irony. Most of that SPAM is due to "phished" Penn State e-mail accounts, where our account holders are asked to verify their userid and password and reply with them in e-mail (By the way... WE WILL NEVER ASK YOU TO DO THIS!). In many cases, the replies go to what I'd call loosely vetted, ephemeral addresses. By "loosely-vetted" I mean identities which may be obtained quite easily without much proof of identity (e.g. login or sign-up here...). Examples of these types of addresses are GMail, live.com, Yahoo!, Hotmail accounts. By "ephemeral" I mean that once the "phish" replies start coming in, the provider is notified and the accounts are terminated. Of course, our "phish"ers ("phishermen?") obtain another account tomorrow from these same providers. In the meantime they have access to a whole new set of IDs and passwords to SPAM and carry out further "phishing" schemes.

From what I've seen, GMail doesn't do this blocking because they know they are part of the problem. The other loosely-vetted, ephemeral e-mail providers don't seem to see it that way. A group that I belong to, the Higher Ed e-mail Administrators list, has a project to keep track of these addresses and leverage the "Wisdom of the Crowds." I think it's a good effort and those who subscribe to these lists often save themselves a world of hurt by heading the scam off early.

If you look at phishing attempts at all (I get 20-40 per day), take a survey of where the "Reply-to:" address is pointed. If it's hotmail or live.com, I think I know where I'm going to send those from now on.

Of course, I might not be able to get through...