Is .edu a canary?


Several times recently I’ve heard about something unusual happening email delivery-wise at academic domains that was new, and wasn’t being seen at non-academic domains on the same lists.

Most recently it was aggressive following of all links in an email at delivery time, seen at several .edu domains, all using the same mail provider. Not that unusual a thing in itself, we know that corporate malware filters have done this for a while. But this seemed more aggressive than just “this mail looks iffy, lets sample a few links and look for malware”, and the new behaviour was only being seen on .edu recipient domains, not on any of the non-academic domains using the same mail provider.

If any .edu postmasters can explain, please, do, but my speculation is that one big difference between academia and the corporate environment is how much control the IT security folks have over recipient machines. In a large corporate environment the windows desktops and laptops are going to be centrally managed, locked down and kept up to date on patches and malware filters. There’s defence in depth, as you know that if a malware link gets through to the recipient the odds are good that their desktop antivirus will catch it, and they’re not going to be running as a Windows administrator.

In academia there’s often not that same level of control, with computers being provided and paid for by a departments or individual labs, and a lot of personal computers on the network (let alone the dorm networks). And I’m betting users tend to have administrator access to their desktops.

The place an academic IT group does have control is the infrastructure, including the inbound mailservers. It’d make sense for them to be more aggressive in malware filtering at the edge mailserver as they don’t have a multilayered defence to rely on. So they’re going to enable the most aggressive malware filtering there as soon as it’s available.

It’s just a theory, but it’d explain a few .edu-specific oddities I’ve heard of recently.

About the author


This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Most of the universities I know have outsourced their mail. Microsoft handles mail for Yale, Princeton, Dartmouth and your neighbors at Trinity College. Google handles Brown’s. Proofpoint handles Harvard’s, Trend handles Oxford’s. Cambridge still handles their own, because they wrote Exim.

    I suspect this is the university IT departments telling the mail providers to turn it up to 11 to limit the amount of bad stuff that gets to badly managed unpatched computers on faculty desks.

  • A little more direct experience with delivering to secondary education, but perhaps something similar is happening in higher ed.

    I’ve seen both security systems like Barracuda and Mental Health security systems Gaggle. Gaggle in particular is pretty aggressive in clicking-through email links.

    During the pandemic, school systems seems to move away from their own infrastructure to Google and Microsoft. Once I the cloud, it’s easier to setup connections to these security and mental health protections systems.

  • Yeah. Much of what I’m hearing about is Microsoft hosted .edus (and other academia, but it’s not a big sample).

    Microsoft offering a “Just how paranoid do you want to be?” dial, combined with academic admins turning it up to 11.

By steve

Recent Posts


Follow Us