AC-100 Email Sending Limitations

Description

This control was initiated by the Chief Information Security and Privacy Officer to enhance protections from phishing and spam emails.  TAMU-CC experienced a high volume of phishing and spam emails in the Summer of 2024 where the attacker was using compromised credentials of students and staff to send internal fraudulent messages using East-West communications, bypassing filtering implemented by the university firewalls. This control was put into place to remediate expanded exposures.

Applicability

This Control applies to all users of TAMU-CC information resources.

Implementation

In an effort to protect our enterprise IT systems, students, faculty, and staff from malware, spyware, ransomware, phishing, and scams, an email sending limitation will be put into place as follows:

  1. Student accounts (@islander.tamucc.edu) are limited to sending to a total of 100 emails per day.
  2. Staff and faculty (@tamucc.edu) accounts are limited to a total of 300 emails per day.
  3. Faculty are recommended to communicate with students in their classes through Canvas or set up a Teams group for the class as needed.
  4. Department or organization shared mailboxes will remain unlimited. Departments may request a shared mailbox though the service catalog in Service Now.
    1. The owner of a department shared mailbox may assign access to send department emails to any department staff member or student worker
  5. For large email communications, users are encouraged to use other communication tools (e.g., Canvas, MailChimp).
  6. Exceptions will be evaluated and granted by the Chief Information Security and Privacy Officer (CISPO) and the Chief Information Officer (CIO) on a case-by-case basis:
    1. Any student, faculty, or staff who has a business reason to send more emails may apply for an exception to the Office of Information Security by email at iso@tamucc.edu.
    2. Individual approvals will be tracked and maintained in Service Now (SNOW) as exceptions.
    3. Exceptions shall expire after twelve (12) months.
    4. OIS will maintain a master list of all exceptions.

Revision History

Last Updated: February 21, 2025

Previous Versions:

  • June 29, 2023
  • May 31, 2022
  • March 25, 2021
  • September 16, 2019

Chief Information Security and Privacy Officer

Submit a Ticket

News

See All News

Events

See All Events