Suspicious e-mails
You should under no circumstances click any links or open attachments in a suspicious e-mail.
If you are uncertain whether an email is trustworthy, you should treat it with extra caution.
Reasons for an e-mail to be suspicious can include the following:
- Marking as spam by your e-mail program or in the subject
- Unclear who the sender is
- The email uses a username, generic name or the wrong name to address you
- Unwanted or unexpected e-mails
- Unexpected attachments (especially .zip / .rar / .tar.gz / .7z / .exe / .bat / .com / .cmd / .scr / .pif files)
- Missing e-mail signature for e-mails from official institutions
- Spelling or formatting mistakes
- Inconsistencies
- Requesting a payment (e.g. to buy gift cards, invoices)
- Messages that try to imitate superiors in this context are known as CEO fraud
- Fake conferences can ask for registration fees or abstracts
- Links that you are meant to use to log in to an account
- Asking for login credentials, personal information or other sensitive information
- Putting you under pressure (e.g. through deadlines, demands for payment or accusations)
- Swearing you to secrecy or forbidding you from contacting the supposed sender
- The address of the sender or links in the e-mail contain suspicious additions, particularly at the beginning of the address/url
- The linked website is not secure (a warning is displayed next to the address line in the browser). Please do not voluntarily click any links in suspicious e-mails, even just to test them.
The steps that need to be taken when dealing with a suspicious e-mail depend on its type:
- The e-mail is marked as spam
- The e-mail is marked with "*****VIRUS REMOVED / ENTFERNT*****"
- The e-mail is unrecognised spam
- The e-mail is an unrecognised phishing e-mail or contains an undetected virus
All e-mails that reach the RWTH Aachen University are checked for spam.
If such an e-mail is detected, it is marked with the text "***** SPAM *****" at the start of the subject line.
No further steps are required, provided that you do not do anything with the e-mail except deleting it. These e-mails have already been recognised as spam by the system and marked as such.
The e-mail is marked with "*****VIRUS REMOVED / ENTFERNT*****"
All e-mails that reach the RWTH Aachen University are checked for attachments containing malware. The same applies to e-mails which leave the RWTH via the server relay.rwth-aachen.de, relay-auth.rwth-aachen.de or smarthost.rwth-aachen.de.
If suspicious code is detected in an attachment, the attachment is replaced with the following text:
This attachment contained a virus and was stripped.
Filename:
Content-Type:
Virus(es):
Additionally, the beginning of the subject line has "***** VIRUS REMOVED / ENTFERNT *****" added to it. No further steps are required, provided that you do not do anything with the e-mail except than deleting it.
The e-mail is unrecognised spam
If you receive an unwanted e-mail that has not been recognised as spam by the system, and marked as such, you should forward the e-mail to the spam filter. This allows the spam filter to be trained to recognise the new type of spam.
It is critical that the original e-mail is forwarded as an attachment (simply forwarding the e-mail as text is not sufficient!) to spam@access.ironport.com.
Spam such as advertising and simple hoaxes, that does not pose a technical threat, does not necessitate any further steps after it has been forwarded. The messages can then be deleted.
The e-mail is an unrecognised phishing e-mail or contains an undetected virus
Unrecognised malicious e-mails are likely to have been sent to multiple recipients as spam. It is likely that some of the other recipients have been tricked by the e-mail, so it is important that the e-mail is reported to the IT-ServiceDesk as early as possible to limit the damage.
Please report the malicious e-mail by sending it as an attachment (simply forwarding the e-mail as text is not sufficient!) to servicedesk@itc.rwth-aachen.de AND spam@access.ironport.com. The e-mail can then be analysed and countermeasures can be enacted.
If the suspicious e-mail cites an older e-mail, please forward us the original email as an attachment (simply forwarding the e-mail as text is not sufficient!) to servicedesk@itc.rwth-aachen.de, or please let us know the date of sending and the addressees of this e-mail. This will make it easier for us to analyse possible mailbox leaks.
Blog posts: