How can you email the President?

Central IT service of the University of Innsbruck

spam.html - spam.html

Content:

  1. What is SPAM
  2. What are phishing emails
  3. What is the ZID doing about SPAM
  4. What is the ZID doing against malware?
  5. What can you personally do
  6. Mail forwarding from external providers
  7. How do the polluters get to the e-mail addresses
  8. Email and authenticity
  9. The TO: field and the actual recipients of a message
  10. SPAM with uibk sender addresses
  11. SPAM - an example
  12. Interpretation and advice for example
  13. Forwarding phishing messages
  14. More links on the topic

What is SPAM?

"SPAM" is the technical term for the flood of news that interests no one, named after a canned meat that is primarily sold in the USA and Great Britain. The meat played a role in many Monty python skits. In one film, a group of Vikings sang "Spam, Spam, Spam, ..." which stifled all conversation in the room. Experts see the danger posed by advertising emails in a similar way; Due to the huge amount of mail, the mail servers on the Internet could be completely overloaded and the important messages could only reach their recipients with difficulty. (Explanation originally by Till Heidemann on cityweb.de)

What are phishing messages?

In contrast to "only annoying" SPAM, phishing messages are sent with criminal intent. By pretending to be a false identity, the sender tries to trick the recipient into passing on secret information such as access information to e-banking applications or electronic flea market and shopping systems.

In general, psychological tricks ("account expired", "account has been hacked" etc.) are used to trick the user into entering passwords, transaction codes etc. on a website that looks deceptively similar to the actual bank website.

However, this is not the bank's web server, but a hacked PC somewhere on the Internet. The displayed link generally does not match the actually selected web server. You can generally verify this by moving the mouse pointer over the link. The link shown at the bottom of the program window does not match the one shown in the mail. Good mail programs such as Mozilla Thunderbird will also explicitly point this out to you in such cases.

By clicking on the link or by downloading files / programs from this fake page, you may also download malicious programs such as password sniffers, keyboard recording software, etc. onto your PC. Since this unwanted software may be tailor-made and at the time the mail messages were distributed, it may not have been so widespread on the Internet, it is possible that your anti-virus software will not recognize it as malware at the time you visit the fake website.

The information is then used to empty the bank account of the gullible recipient.

See also the very good explanation on phishing at Wikipedia.de.

What is the ZID doing against SPAM?

SPAM can never be completely prevented without massively restricting your availability by email.

In order to keep the number of unwanted messages low, the ZID has taken various technical measures. In order to remain effective, the measures and filter rules are continuously updated.

Unwanted messages are never "swallowed". If a message is identified as SPAM etc., the post will not be accepted at the ZID and the sender will receive a non-delivery error message with further help.

  • The mail system does not accept mail from invalid sender addresses.
    (More precisely: the part after the @ must be a valid internet domain.)

  • We have been using an anti-SPAM measure known as nolisting for some time.

  • The mail system does not accept mail from mail systems that have already distributed SPAM and have not done anything to prevent it.
    These are administered in worldwide databases. When we receive messages, we check the sending IP address and, if necessary, reject mail.
    In addition to the ZEN blacklist from spamhaus.org, the SPAMCOP database. consulted.

  • Known phishing messages are identified and rejected by our virus scanners.

  • Messages are then subjected to a content filtering with Spamassassin on the mail relay and evaluated.
    Very likely SPAM messages with more than 7 SPAM points will be rejected immediately at the relay.
    The other messages are provided with an additional message header that contains a SPAM rating. eg:

    X-Spam-Score: () 2.3 HTML_MESSAGE, MSGID_FROM_MTA_HEADER, ...

As of May 2017, our spam and virus protection system rejects a total of approx. 250,000 and delivers 50,000 of approx. 300,000 messages arriving from outside the company every day. 1200 messages per day are infected with viruses and are also rejected.

In other words, without the ZID's measures, the "average" mailbox would only contain one desired mailbox for every 7 messages.

A complete filtering of SPAM is unfortunately impossible, since the fact whether mail is desired or undesired by the recipient is of a personal nature and can therefore only be decided to a limited extent from a technical point of view.

In the case of phishing messages, it is also very difficult to distinguish them from normal messages because they generally do not contain any dangerous attachments and are constantly being redesigned in terms of form and content.

What is the ZID doing against malware?

In addition to checking all messages for malware with a virus scanner, certain attachments are filtered out. This is necessary because malicious software is naturally only included in the AV databases after it has occurred.

This includes executable files, ZIP files with only one executable file and documents with certain file names such as XXXXXXXX-nnnn.doc, which are currently often used as attack vectors for hackers.

If you still need such files, you will find information on this in our document Send files as a link instead of as an email attachment

What can you personally do?

Treat unsolicited email as you would the daily flood of unsolicited brochures and advertising material. Delete the messages from your mailbox unseen.

If that becomes too troublesome for you:
You can very easily set up a server-side filter on the mail server for university employees (Exchange server), which moves messages suspected of being SPAM into a separate mail folder.

On the student mail server (mail.uibk.ac.at) you can set the spam level in webmail under "Filter" - "Spamfilter", for example, to 4, specify a target folder in which all messages with a spam score between 4 and 6 are moved and click "Save" and click Activate "

You should delete phishing messages immediately! Do not click on the links provided and do not even fill out any forms that look deceptively similar to your web banking. Banks generally do not contact you in the form of email messages.

The option often offered in emails to be deleted from the "mailing list" practically never works. In the best case scenario, you will receive a return notification that cannot be delivered. So save yourself the trouble.

Mail forwarding from external providers

Our filter measures take into account where a mail message comes from. As soon as you forward another mailbox / e-mail address to the Innsbruck e-mail address, you must expect to receive significantly more SPAM, because we trust the source (your mail provider for the alternative address).

What can you do?

  • Instead of automatic forwarding, save a "holiday message" on your old mail system. Human users can send the message My mailbox xx @ yy is no longer read.
    Please contact [email protected]
    live a good life. SPAMers don't read this and you are rid of some of the unwanted messages.
  • Alternatively, you can adjust a filter rule on the Exchange server so that the forwarded messages end up in a separate mail folder.

How do the polluters get to the e-mail addresses?

In particular, if several Innsbruck e-mail addresses are given in one message, one naturally wonders how the perpetrators get to the addresses. Do you have these from university?
Almost certainly no. Web forms cannot be searched by search engines insofar as a search string would be required here.
Of course, the ZID or the university do not pass them on. This is even explicitly forbidden.

The most likely source of email addresses are web pages that list your address in "plain text".

"Address dealers" search the pages for strings that look like mail addresses and then offer them in databases that contain as many addresses as possible. You use the same technology that search engines use to get your data on the Internet.

For example, search for your address on google.com and you will see how many documents your email address appears in.

Unfortunately, many Windows viruses now also pass on the mail addresses that you were able to collect on the infected PC in address books, mail messages and cached websites to your "clients". A single infected PC belonging to a friend who has saved your e-mail address locally is often sufficient for your address to receive SPAM.

Email and authenticity

Many users are hardly aware, but the fact is that Internet e-mail is by default in no way checked for authenticity, i.e. for the correctness of the specified sender or for the correctness and authenticity of the content.

So you can get an email from the President of the United States, the ZID or the Rector, which (of course) was not written by them.

In the first moment you will say disaster! In real life, however, you can of course just as easily be confronted with a holiday postcard with a wrong sender, an anonymous or forged letter. If the content seems implausible to you, you will dispose of the message more or less quickly.

So treat electronic mail with a certain degree of skepticism. A short call or an answer to the supposed sender of the message can clear up many a misunderstanding at an early stage.

This inadequacy of traditional e-mail can be compensated for with so-called electronic signatures. Provided that your partner signs the messages before they are sent and you check the correctness of the signature with suitable measures, you can then assume the authenticity and authenticity of the message.

The TO: field and the actual recipients of a message

Why are you getting email addressed to [email protected]? Has there been a delivery error?

No. As with normal mail, the address on the envelope of a letter does not have to match that in the letterhead. The postman follows the address on the envelope. You only see the address "Dear voters" on the letter itself.

The TO field of a message corresponds to that of an address in a normal letter and can therefore be "falsified" using simple means, e.g. B. the sender of the message.

Only the information encoded in the message header during delivery allows information about the sender of a message, analogous to the posting stamp of a letter.

SPAM with uibk sender addresses

Recently it also happens that uibk mail addresses are used as a fake sender in SPAM messages. Badly configured mail servers on the Internet then believe that they have to inform the alleged sender of delivery errors, etc.

The user of the uibk address then unfortunately receives many error messages within a short period of time on messages that he did not send at all. The user usually only has to delete the messages and wait for the SPAMer to use other addresses to send them soon.

Unfortunately, such messages are difficult to filter because they come from real, large mail servers and can hardly be distinguished from error messages that are generated on the basis of messages that actually come from you.

SPAM - an example

For the analysis of SPAM it is necessary to look at the whole message including all headers. Mail programs normally only display header data, which are fake and unusable anyway.

In Mozilla Thunderbird you can display the entire content with the menu function "Menu / View / Message source text". In webmail, click on "Source text" while the message is open. Outlook 2016 allows you to query the header lines of a mail (opened in a separate window) via "File / Properties / Internet headers". You should then z. B. find the following:

Return-Path: 1)
Received: via tmail-4.1 (11) for cXXXXXX +; Tue, 1 Aug 2017 17:53:54 +0200
(MET DST) 2)
Received: from lmr2.uibk.ac.at (lmr2.uibk.ac.at [138.232.1.202]
[email protected]) by smc.uibk.ac.at
(8.11.6 / uibk) with ESMTP id f91Frsc11273
for ; Tue, Aug 1, 2017 5:53:54 PM +0200 (MET DST)
Received: from po.ontake.jp ([210.238.89.17] [email protected]) by
lmr2.uibk.ac.at (8.11.3 / E2) with ESMTP
id f91Frp3338705 for ; Tue, 1 Aug 2017
17:53:51 +0200 (MDT) 3)
Received: from yahoo.com.br [202.138.44.232] by po.ontake.jp (SMTPD32-4.10)
id A5D05212010C; Tue, 01 Aug 2017 23:59:28 +0900 4)
From: [email protected], Emotionen 5)
To: [email protected] 6)
Subject: intelligence, emotions
Mime version: 1.0
Content-Type: text / plain; charset = us-ascii
Message ID: <[email protected]> 7)
Date: Wed, 2 Aug 2017 00:10:23 +0900

bla bla bla

Interpretation and advice for example

1) The return address used by the sender. Presumably nonexistent or already blocked by the provider yahoo.

2) The message was placed in your mailbox on the university's mail server at 5:53 p.m. local time.

3) The university's mail relay received the message at 17:53 from the presumably open mail relay 210.238.89.17 (po.ontake.jp).
BTW: The mail relay po.ontake.jp has now been added to the MAPS database. So we shouldn't get any more SPAM from there.

4) The message is delivered from the IP address 202.138.44.232 to the open mail relay po.ontake.jp for further distribution on the Internet.
BTW: More detailed research would show that the address 202.138.44.232 was assigned to an Australian Internet provider. You could complain to the user about the person who caused the message.

5) The sender of the message is of course fake.

6) The sender specified the address "Intelligente.Leute" as the recipient. Our mail gateway then added "@ lmr2.uibk.ac.at" to the forwarding of the message in order to make the address a valid e-mail address.
Don't let that worry you - nobody broke into the mail system, etc.

7) The message ID was also chosen consistently by the sender for the wrong sender address.

Forwarding phishing messages

If you want to send us phishing messages, it is very important that all header lines are retained.

To do this, proceed as follows:

  1. Create a new message in your mail program. Use a meaningful subject such as "My phishing donation".
  2. Now drag the unwanted message (s) from the message overview into the attachment area of ​​the newly created mail.
  3. Send the mail to security (at) uibk.ac.at.

This means that the headers that are particularly important to us are retained. Forwarding with web mail is not possible. In this case, simply send us the message source text of the phishing message (copy it into a new message using cut & paste).

More links on the topic