Is .edu a canary?

Several times recently I’ve heard about something unusual happening email delivery-wise at academic domains that was new, and wasn’t being seen at non-academic domains on the same lists.

Most recently it was aggressive following of all links in an email at delivery time, seen at several .edu domains, all using the same mail provider. Not that unusual a thing in itself, we know that corporate malware filters have done this for a while. But this seemed more aggressive than just “this mail looks iffy, lets sample a few links and look for malware”, and the new behaviour was only being seen on .edu recipient domains, not on any of the non-academic domains using the same mail provider.

If any .edu postmasters can explain, please, do, but my speculation is that one big difference between academia and the corporate environment is how much control the IT security folks have over recipient machines. In a large corporate environment the windows desktops and laptops are going to be centrally managed, locked down and kept up to date on patches and malware filters. There’s defence in depth, as you know that if a malware link gets through to the recipient the odds are good that their desktop antivirus will catch it, and they’re not going to be running as a Windows administrator.

In academia there’s often not that same level of control, with computers being provided and paid for by a departments or individual labs, and a lot of personal computers on the network (let alone the dorm networks). And I’m betting users tend to have administrator access to their desktops.

The place an academic IT group does have control is the infrastructure, including the inbound mailservers. It’d make sense for them to be more aggressive in malware filtering at the edge mailserver as they don’t have a multilayered defence to rely on. So they’re going to enable the most aggressive malware filtering there as soon as it’s available.

It’s just a theory, but it’d explain a few .edu-specific oddities I’ve heard of recently.