Spam, phishing and other suspicious e-mails
This article explains what suspicious e-mails are, how you can recognize them and what options you have to take action against them.
You should under no circumstances click any links or open attachments in a suspicious e-mail.
If you are uncertain whether an email is trustworthy, you should treat it with extra caution.
Reasons for an e-mail to be suspicious can include the following:
- Marking as spam by your e-mail program or in the subject
- Unclear who the sender is
- The email uses a username, generic name or the wrong name to address you
- Unwanted or unexpected e-mails
- Unexpected attachments (especially .zip / .rar / .tar.gz / .7z / .exe / .bat / .com / .cmd / .scr / .pif files)
- Missing e-mail signature for e-mails from official institutions
- Spelling or formatting mistakes
- Inconsistencies
- Requesting a payment (e.g. to buy gift cards, invoices)
- Messages that try to imitate superiors in this context are known as CEO fraud
- Fake conferences can ask for registration fees or abstracts
- Links that you are meant to use to log in to an account
- Asking for login credentials, personal information or other sensitive information
- Putting you under pressure (e.g. through deadlines, demands for payment or accusations)
- Swearing you to secrecy or forbidding you from contacting the supposed sender
- The address of the sender or links in the e-mail contain suspicious additions, particularly at the beginning of the address/url
- The linked website is not secure (a warning is displayed next to the address line in the browser). Please do not voluntarily click any links in suspicious e-mails, even just to test them.
Spam (junk e-mail) is a general term for unwanted, annoying e-mails that are sent to many recipients. Spam can be simple advertising mails or hoaxes, but it can also include phishing attempts and e-mails containing malware. It is possible for several of these terms to be applicable for a single e-mail.
Regardless of the content of such an e-mail, the senders usually have no connection to the e-mail accounts to which such spam mails are sent. A commercial spammer often keeps databases with sometimes several million addresses. These can be found, for example, by searching newsgroups, homepages or e-mail directories in a targeted manner (automated with a program), but also by trying out common addresses. Sending e-mails also works automatically. Since sending e-mails costs almost nothing, it does not matter if many addresses are invalid.
Commercial spam is always commissioned. The client wants the spam or advertising emails to encourage people to visit a website or call their hotline, for example.
Most spam to RWTH e-mail addresses is filtered automatically. The spam detection software used at the IT Center recognises over 90% of incoming spam.
- Most spam arriving from outside is blocked directly and does not reach the recipient.
- The spam detection software used at the IT Centre marks detected spam and e-mails containing malware:
- The beginning of the subject line of spam is supplemented with "*****SPAM*****".
- The beginning of the subject line of e-mails containing malware is supplemented with "***** VIRUS REMOVED / ENTFERNT *****".
- Depending on the chosen settings, e-mail clients move e-mails to a spam folder.
Unfortunately, it is impossible to detect all spam. It is also particularly difficult to filter some types of malicious e-mails, such as targeted phishing attempts.
The term phishing refers to attempts to impersonate a trusted communication partner in an electronic communication via fake websites, e-mails or short messages. Unfortunately, it is easy to imitate a legitimate sender or the sender's real account may have been compromised.
These e-mails will often try to acquire the login credentials for accounts so that these can be hijacked. Phishing attacks can also set out to gather more general information, in order to prepare targeted future phishing attacks. These e-mails can also attempt to trick people into making payments or running malware.
III. E-mails with malicious programs (malware)
Malware is a program, such as a computer virus, that performs unwanted functions on a device. Among other things, Malware can directly cause damage (e.g. ransomware), steal information or compromise security software to prepare further attacks. A common method of spreading malware is as an attachment to an e-mail, but links to websites that contain viruses also pose a major risk. After an initial device has been infected, malware can spread across networks to other devices.
Hoaxes are a malicious form of spam that attempts to manipulate the recipient into certain actions through social engineering. Frequently this includes spreading the hoax to other recipients. Hoaxes are often a malicious prank that does not pose a technological threat in itself, but spreading this false information is still annoying. The term includes false warnings that aim to be spread as widely as possible, e-mails from supposed princes who need help transferring funds, but also more credible phishing e-mails that aim to gain legitimacy through being spread by legitimate recipients.
2. Procedure for suspicious e-mails
The procedure for dealing with a suspicious e-mail depends on the type of e-mail.
I. Detected suspicious e-mails
E-mails marked with “***** SPAM *****”:
- All e-mails that reach RWTH Aachen University are checked for spam.
- If a corresponding e-mail is detected, the text “***** SPAM *****” is inserted before the actual text of the subject line.
- No further action is required as long as you do nothing else with the e-mail except delete it. The email has already been recognized and marked as spam by the system.
Emails marked with “*****VIRUS REMOVED / ENTFERNT*****”:
All e-mails that reach the RWTH Aachen University are checked for attachments containing malware. The same applies to e-mails which leave the RWTH via the server relay.rwth-aachen.de, relay-auth.rwth-aachen.de or smarthost.rwth-aachen.de.
If suspicious code is detected in an attachment, the attachment is replaced with the following text:
This attachment contained a virus and was stripped.
- Filename:
- Content-Type:
- Virus(es):
Additionally, the beginning of the subject line has "***** VIRUS REMOVED / ENTFERNT *****" added to it.
No further steps are required, provided that you do not do anything with the e-mail except than deleting it.
"False positives", meaning e-mails that were falsely marked as SPAM, can be reported by sending it as an attachment to the following address: ham@access.ironport.com
After successful notification, the sender's e-mail address should then be unlocked and future e-mails should arrive normally again.
When forwarding information to this external e-mail address, please take into account any existing non-disclosure agreements (NDAs) and data protection regulations that may prevent the forwarding of information.
It may also be useful to adjust the settings for the spam folder in the email client used or the RWTH MailApp. You can find the instructions for this in the following guide.
III. Undetected suspicious e-mails
Undetected Spam-mails:
- If you receive a suspicious or unwanted e-mail that is not recognized and flagged by the system, you should report it.
- It is critical that the original e-mail is forwarded as an attachment (simply forwarding the e-mail as text is not sufficient!) to spam@access.ironport.com.
- The e-mail addresses should then be blocked by the spam filter (Ironport) / incoming mails should be marked with “***** SPAM *****”.
- Independent reporting by users makes it possible to detect such emails more quickly across the board and improve the spam filter (Ironport).
- In the case of spam emails such as hoaxes or advertising emails that pose no technical risk, no further action is required after forwarding. The e-mail can be deleted.
Undetected Phishing-mails or undetected mails containing a virus:
- Unrecognised malicious e-mails are likely to have been sent to multiple recipients as spam.
- It is likely that some of the other recipients have been tricked by the e-mail, so it is important that the e-mail is reported to the IT-ServiceDesk as early as possible to limit the damage..
- Please report the malicious e-mail by sending it as an attachment (simply forwarding the e-mail as text is not sufficient!) to servicedesk@itc.rwth-aachen.de AND spam@access.ironport.com.
- The e-mail can then be analysed and countermeasures can be enacted.
- If the suspicious e-mail cites an older e-mail, please forward us the original email as an attachment (simply forwarding the e-mail as text is not sufficient!) to servicedesk@itc.rwth-aachen.de.
- Please let us know the date of sending and the addressees of this e-mail. This will make it easier for us to analyse possible mailbox leaks.
3. Procedures for compromised accounts and devices
If one of the following scenarios applies to you, or if you are generally concerned that your device has been compromised, carry out all of the following steps for compromised accounts and devices if in doubt.
- If you have entered login information on a phishing website or shared it in other ways, your affected account may have been compromised.
- If you run malicious files or linked websites, there is also a risk that your device has been compromised.
- If you have fallen for a spam/phishing e-mail or hoax and opened links or files, your account or device may have been compromised.
- If accounts have been compromised without your knowledge, these accounts may be blocked by the IT Center due to suspicious behavior.
- If a device has been compromised without your knowledge, you may receive a virus warning from the IT Service Desk and your accounts may be blocked by the IT Center.
Note on e-mails received from your own address:
Sender addresses and header lines can be easily forged. The sender address is a free text field in the Simple Mail Transfer Protocol (SMTP). SMTP as such contains no security measures to ensure the authenticity of the address entered. Spammers can therefore choose any sender address without the mail account of the supposed sender having to be compromised.
In some cases, phishing e-mails are sent with the recipient as the sender to pretend that the spammers have access to their mailbox or computer (often to blackmail the recipient). If you or someone close to you has received a suspicious e-mail with your sender address, this does not necessarily mean that your e-mail account has been compromised. The actual source of the e-mail can be discovered by looking at the email header. In case of doubt, please send the e-mail as an attachment (simply forwarding the e-mail as text is not sufficient!) to servicedesk@itc.rwth-aachen.de so that we can analyze the header. As a precaution, we would nevertheless recommend that you carry out the following steps.
- Change your passwords for the compromised accounts.
- Use a device that has not been compromised to do this
- Never use a link to change passwords that you have been sent unsolicited
- Inform the IT-ServiceDesk by explaining the situation and sending the suspicious e-mail as an attachment to servicedesk@itc.rwth-aachen.de. Simply forwarding the e-mail is not sufficient!
- Contact the IT-Servicedesk without delay to receive help:
- Forward the suspicious e-mail as an attachment to servicedesk@itc.rwth-aachen.de with a brief explanation of the situation.
- The IT-ServiceDesk can help you remove the virus if needed
- The antivirus software 'Sophos Anti-Virus' is available for free to members of the RWTH Aachen University and FH Aachen.
- The download is only possible while connected to the university network
- The Malwarebytes software can be used free of charge
- The virus can have spread to other devices using your network, so you should also check these devices.
- Weitere Informationen zu Spam:
- http://hoax-info.tubit.tu-berlin.de/software/spam.shtml (DE)
- https://en.wikipedia.org/wiki/Email_spam
- CEO Fraud: When “Superiors” ask for Money
- Social Engineering – or: How we get tricked
- Safety first: Beware of Phishing Mails with RWTH names!
- Phishing Attack on RWTH-E-Mail Accounts: Data Theft –Not with us!
- Explanations and statistics for the spam filter
- Spam folder settings (E-mail clients)
- Procedure for a suspended VPN account