Home / Blogs

Why are *.edu’s Compromised so Much?

When it comes to the problem of outbound spam, one of the experiences that I have, and this was reaffirmed at TechEd, is that the number one source of compromised accounts are educational institutions. That is to say, whenever we have an outbound spam problem and have to hunt down where it is coming from, the highest number of these accounts are phished accounts/credentials from users at an educational institution.

Why is this? Why does so much spam originate from universities? Why don’t we see the equivalent in the corporate world?

I don’t know the answer. However, I will put forth a couple of theories:

  1. Universities have more lax security regulations. Higher education is stretched for funds and IT administrators just don’t have the time to enforce security updates, install A/V software, and/or they allow students to download all sorts of nefarious things (bit torrents, shareware, etc). This software contains keystroke loggers or something similar which steals user credentials and sends them back to the phisher. In other words, lack of security patching combined with users who takes risks is what contributes to the phished account problem.
  2. Universities allow games to run on their computers, and malware targets these games. This is a theory I have and it is similar to (1) above. One of the most commonly occurring worms in the home user world is the Taterf worm which targets user credentials for MMORPGs like World of Warcraft. Taterf spreads via USB thumb drives and misconfigured network mapped drives. Users trade their USB keys and stuff between each other, and this malware grabs user credentials. Since many people use their email addresses as their login information, and passwords as well, phishers inadvertently started collecting email credentials as well. A nice byproduct. But the point is that students are the ones installing all sorts of games and not taking security precautions, resulting in the spread of malware.
  3. Students fall for phishing scams more often. I have no evidence for this, but if students (or possibly staff and faculty) have a higher rate of spamming then that implies that they fall for phishing scams more often. Spam in their inbox that says “Please click on this in order to ensure that you have the latest software” which really installs malware, or steals credentials, is the result of the phish. Students may not have as much experience with computers and then once they hit school, they get one for free. But with new email accounts comes new experiences that they are not familiar with, and hence, they fall for scams.

None of these explanations is really satisfying to me. It’s possible that it is a combination of the three of them, and also others that I have not heard of.

By Terry Zink, Program Manager

Filed Under


Hmm.. I'm not so sure about your numbers.. Valdis Kletnieks  –  Jun 16, 2010 6:00 PM

You specifically state “That is to say, whenever we have an outbound spam problem and have to hunt down where it is coming from, the greatest number…”

Now let’s take a step backwards. You have an *outbound* spam problem. So who’s really got the issue here? (Hint - why do you have enough outbound connections using phished .edu credentials that you feel the need to chase down the source?)

OK - let’s try running it the other way and assume you were confused about the words “in” and “out”, and you’re being barraged by *inbound* spam from compromised .edu webmails.  Is it simply because you’ve already blacklisted large swaths of address space because it’s Comcast cablemodem space so direct-to-MX doesn’t work, etc, and you only accept mail from a very limited number of sites?

So you get hit with what looks like “.edu’s have problems” merely because .edu’s have more webmail servers that you’re willing to accept mail from. So you block 95% of crap from ISP’s out in .com and .net, accept from .edu webmails - and then are surprised that most of what you accept is from .edu’s.  That’s called “confirmation bias”.

Valdis, microsoft hosts email for quite a lot of universities Suresh Ramasubramanian  –  Jun 19, 2010 1:04 AM

So I guess when Terry's saying .edu users get phished more than corporate users do, he's got something tlike that in mind when he says "phished .edu users and outbound spam"

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Brand Protection

Sponsored byCSC


Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix


Sponsored byDNIB.com

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API