Like many academics, I think that many security policies and procedures are a tad draconian and based on superstition rather than evidence. One of my pets that I often rail about is the requirement that individuals change passwords on some fixed schedule; I’m still looking for any evidence that these requirements actually make our institutions more secure. In my own case, I’m much more likely to try skimp on password complexity or write the new one down in those cases where I’m forced to change.

Every once in a while, though, I get a graphic reminder of why folks with more daily responsibility for security are more paranoid (which may not be too strong a word) than I am. Several of those reminders have been delivered this week as faculty and staff have been hit with a barrage of phishing schemes. At least seven members of the community, including at least a faculty member or two, have succumbed and provided their userids and passwords. Almost immediately their accounts were attacked by zombie armies, hundreds of sessions were opened and hundreds of thousands of spam messages were generated.

A Botnet (also known as a zombie army) is a number of Internet computers that, although their owners are unaware of it, have been set up to forward transmissions (including spam or viruses) to other computers on the Internet. Any such computer is referred to as a zombie – in effect, a computer “robot” or “bot” that serves the wishes of some master spam or virus originator. Most computers compromised in this way are home-based.

In these seven instances, millions of messages were generated. Cleaning up the resulting mess takes lots of engineering time–though unfortunately with practice we’re cutting it from days to hours. Mail response for local users slows dramatically and huge internet service providers like AOL and Comcast blacklist the college domain as part of their spam management process. Reopening delivery may take a couple of days and untold amounts of mail from college addresses may be dumped to the bit bucket.

If you care about your colleagues and being a good citizen of the community, don’t provide your id and password by using a link in an email message.