You are located in service: RWTH-E-Mail

Suspicious e-mails

Suspicious e-mails


If you are uncertain about an e-mail, it should be treated as suspicious. Reasons to be suspicious can include the following:

  • The e-mail is marked as spam
  • The sender is unclear
  • The e-mail is unwanted or unexpected
  • The e-mail contains an unexpected attachment
  • Spelling or formatting mistakes
  • Inconsistencies
  • The e-mail wants you to make a payment (e.g. to buy gift cards)
    • Messages that try to imitate superiors in this context are known as CEO fraud
  • The e-mail contains a link which requires you to log in
  • The e-mail asks for login credentials, personal information or other sensitive information
  • The e-mail tries to put you under pressure (e.g. through deadlines, demands for payment or accusations)
  • The e-mail swears you to secrecy or forbids you from contacting the supposed sender
  • The address of the sender or links in the e-mail contain suspicious additions, particularly at the beginning of the address/url
  • The linked website is not secure (a warning is displayed next to the address line in the browser)

In case of doubt, suspicious e-mails can be set to as an attachment. The IT Center can then assess whether the e-mail poses a threat and the type of threat where applicable. You should under no circumstances click any links in the e-mail or open attachments.



The steps that need to be taken when dealing with a suspicious e-mail depend on its type:

If you have clicked on a link or opened an attachment, there is a risk that your device or accounts are compromised. Please follow the procedures for compromised accounts and devices immediately.


The e-mail is marked as spam

All e-mails that reach the RWTH Aachen University are checked for spam.

If such an e-mail is detected, it is marked with the text "***** SPAM *****" at the start of the subject line.

No further steps are required, provided that you do not do anything with the e-mail except deleting it. These e-mails have already been recognised as spam by the system and marked as such.


The e-mail is marked with "*****VIRUS REMOVED / ENTFERNT*****"

All e-mails that reach the RWTH Aachen University are checked for attachments containing malware. The same applies to e-mails which leave the RWTH via the server, or

If suspicious code is detected in an attachment, the attachment is replaced with the following text:

  This attachment contained a virus and was stripped.

Additionally, the beginning of the subject line has "***** VIRUS REMOVED / ENTFERNT *****" added to it. No further steps are required, provided that you do not do anything with the e-mail except than deleting it.


The e-mail is unrecognised spam

If you receive an unwanted e-mail that has not been recognised as spam by the system, and marked as such, you should forward the e-mail to the spam filter. This allows the spam filter to be trained to recognise the new type of spam.

It is critical that the original e-mail is forwarded as an attachment to Simply forwarding the e-mail as text is not sufficient!

Spam such as advertising and simple hoaxes, that does not pose a technical threat, does not necessitate any further steps after it has been forwarded. The messages can then be deleted.


The e-mail is an unrecognised phishing e-mail or contains an undetected virus

Unrecognised malicious e-mails are likely to have been sent to multiple recipients as spam. It is likely that some of the other recipients have been tricked by the e-mail, so it is important that the e-mail is reported to the IT-ServiceDesk as early as possible to limit the damage.

Please report the malicious e-mail by sending it as an attachment to and The e-mail can then be analysed and countermeasures can be enacted. Simply forwarding the e-mail as text is not sufficient.



Blog posts:

last changed on 08/30/2022

How did this content help you?

Creative Commons Lizenzvertrag
This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License