Combating Phishing in Webmail

Our email security procedures apply to all VFW WebMail and VFW AuxMail Users.

We experienced a number of security violations in the WebMail system and have taken steps to tighten system security which will affect current and future operation of the email system.

First off, please remember that we will NEVER EVER send you an email asking for your username or password. You should never voluntarily give your username or password to anyone.

Don't be fooled! Sample of a fraudulent request.

Don’t be fooled! Sample of a fraudulent request.

Unfortunately, we had a number of individuals who fell for this password phishing scheme which caused some severe problems for our network in recent weeks. Spammers were able to gain access to several accounts and used them to send out hundreds of thousands of spam emails from our server. This resulted in our server IP address getting added to several spam blacklists (lists of email servers known to send spam) which affected the timely delivery of thousands of legitimate emails and caused massive frustration for both our users and those trying to conduct legitimate business with our users. If you have any questions as to the validity of an email which you believe may be a scam, please contact your department before volunteering any information which may make you uncomfortable.

To that end, we have done an analysis of the security of our system and have instituted several rule changes, which have helped to remove us from the blacklists, but will directly impact your usage of the system. We won’t go into the technical details of all the changes, but one change in particular will affect a large number of users.

As of now, you are limited to sending an email to NO MORE than 50 email addresses at one time. This includes group email lists which users may have set up in their individual accounts. Attempting to do so will result in errors when you try to send out an email to large groups.

If you have groups set up in your accounts that contain more than 50 addresses, please take a few moments and break them down into smaller units that you can send to individually. We realize that this is an inconvenience to some, but it also prevents a compromised account from sending massive amounts of spam email and interrupting the flow of email for all users. ( This change does not affect Department of North Carolina officer distribution lists we have set up for the department on the email server. Please continue to use your officer distribution addresses as usual).

If you inadvertently send an email to more than 50 addresses, the email system may either prevent you from sending the email via a popup notice that you have bad addresses, or the system may send you a notice that your email has been deferred. If you receive a deferral notice, please note that your email should eventually reach it’s destination but delivery may be delayed by as much as several hours. The easiest way to avoid these errors is to break down your mailings into smaller groups and send them a minute or two apart. This will help ensure your email makes it to it’s destination as intended in a timely fashion.

Also, as some of you have already experienced, we have tightened up the rules for passwords on the system. Currently, all NEW passwords that the USERS create after logging in with the default MUST contain the following three items:

  1. Passwords must be at least 6 characters long, and
  2. At least one character must be a CAPITAL letter, and
  3. There must be at least one number in the password

So as an example, a user comes to webmail for the first time and logs in with the default password (provided to by the blogmaster, announced at a Flying Squadron event, or provided by a District Commander). The system immediately asks them to change their password. The NEW password that they create must follow the rules above.  Users can no longer set their password back to the original default or a previously used password, as they do not conform to the new rules

Also, if a user decides to change their password, it must change to something new. I cannot be set to a password that they’ve used before. As an example, a user has logged in, changed their password to Whitewolf1 and is using their account. At some point they forget their password and contact us to have the password reset. We reset the password to a default password and provide it to them. When the user logs in and the system asks them to change their password, they will not be able to use Whitewolf1 again. It must be something different.

We realize that this may make things a bit more difficult, until you adjust to the changes, but it should greatly increase our security and ensure the smooth flow of email in and out of our system.

And one final note, if you do receive a piece of spam email in your mailbox, instead of just deleting the email, please take a moment to click the “Mark as Spam” button above your mailbox. We have increased the mail system’s ability to “learn” what is spam and what is not. As more users mark particular emails as spam, the system will begin to block those emails from getting through and will result in cleaner a inbox for everyone.

Let us or your department headquarters know if you have any questions or if you run into any problems.

The VFW Webmail Admin Team

No Comments

Leave A Reply