Email sending limit introduced to stem tides of phishing

A new cybersecurity measure has been quietly protecting the University of Oregon community since late January.

That measure is a daily email sending limit for UO faculty and staff.

The Information Security Office introduced the sending limit — a common industry practice — to dramatically slow the spread of phishing emails while enabling UO's teaching, learning, research and administration to continue.

"Just a few weeks ago, cybercriminals stole the credentials of two UO employees and used their accounts to send about 20,000 phishing emails to the UO community," said José Domínguez, chief information security officer. "Such attacks have become all too familiar. The new limit buys us time to stop them before they go too far."

Domínguez said the limit is set higher than 98 percent of employees will likely reach, based on nearly a year's worth of assessment by his team. 

"Hardly any of us will ever bump into these limits, and that's by design to ensure your ongoing access to email services," Domínguez said. "To protect the university from adversaries, we usually don't disclose further details about our security practices."

For people whose recent sending patterns exceeded the limit, the Information Security Office has already taken steps to prevent disruptions.

Domínguez said the UOmail system isn't intended to serve as a bulk email delivery platform.

For employees who need to contact large groups in accordance with UO's internal mass email guidelines, Information Services typically recommends using existing email lists or creating new lists through UO's Mailman service (lists.uoregon.edu). UOmail distribution groups are another option.

When anyone tries to send more emails than allowed, they will receive a delivery failure notification, as described on the email sending limits page — a secure reference page visible only to people logged in to the UO Service Portal

"We recommend bookmarking our reference page so you have these details at your fingertips in case you need them," Domínguez said. "Whenever someone hits the limit, our team also gets notified and responds very quickly and proactively during business hours to address each situation."

Information Services staff will open a ticket on behalf of the affected user and begin investigating whether their account has been compromised. The user will likely get email notifications from that activity in the UO Service Portal.

To expedite the process, users can also submit a ticket themselves through the email and calendar help page.

Information Services staff will provide more details to each affected user to help them resume sending email. The unblocking process itself takes five to 60 minutes in most cases.

The new sending limit doesn't apply to third-party mass email services such as Emma, Mailchimp and Constant Contact.

However, it does apply to departmental role accounts in the UOmail system. The Information Security Office also previously introduced a sending limit for UO students.

Domínguez's team had originally planned to extend the sending limit to employees in late February, after announcing it to the UO community. However, the team fast-tracked those plans after another cyberattack hit in late January. That time, a malicious message about a salary increase went out to more than 2,600 faculty and staff members, graduate employees and other students, leading to about 100 of those accounts being compromised.

Anyone with questions can submit a ticket at email and calendar help. Employees can also contact the IT staff who support their unit. For real-time help during evenings and weekends, people can contact the Technology Service Desk.

—By Nancy Novitski, University Communications