Suspicious e-mails
If you are uncertain about an e-mail, it should be treated as suspicious. Reasons to be suspicious can include the following:
- Marking as spam by your e-mail program or in the subject
- Unclear who the sender is
- Unwanted or unexpected e-mails
- Unexpected attachments
- Spelling or formatting mistakes
- Inconsistencies
- Requesting a payment (e.g. to buy gift cards, invoices)
- Messages that try to imitate superiors in this context are known as CEO fraud
- Fake conferences can ask for registration fees or abstracts
- Links that you are meant to use to log in to an account
- Asking for login credentials, personal information or other sensitive information
- Putting you under pressure (e.g. through deadlines, demands for payment or accusations)
- Swearing you to secrecy or forbidding you from contacting the supposed sender
- The address of the sender or links in the e-mail contain suspicious additions, particularly at the beginning of the address/url
- The linked website is not secure (a warning is displayed next to the address line in the browser). Please do not voluntarily click any links in suspicious e-mails, even just to test them.
In case of doubt, suspicious e-mails can be set to servicedesk@itc.rwth-aachen.de as an attachment. The IT Center can then assess whether the e-mail poses a threat and the type of threat where applicable. Please only forward the original e-mail to us, rather than forwards or e-mail chains that merely contain the e-mail. You should under no circumstances click any links in the e-mail or open attachments.
The steps that need to be taken when dealing with a suspicious e-mail depend on its type:
|
The e-mail is marked as spam
All e-mails that reach the RWTH Aachen University are checked for spam.
If such an e-mail is detected, it is marked with the text "***** SPAM *****" at the start of the subject line.
No further steps are required, provided that you do not do anything with the e-mail except deleting it. These e-mails have already been recognised as spam by the system and marked as such.
The e-mail is marked with "*****VIRUS REMOVED / ENTFERNT*****"
All e-mails that reach the RWTH Aachen University are checked for attachments containing malware. The same applies to e-mails which leave the RWTH via the server relay.rwth-aachen.de, relay-auth.rwth-aachen.de or smarthost.rwth-aachen.de.
If suspicious code is detected in an attachment, the attachment is replaced with the following text:
This attachment contained a virus and was stripped.
Filename:
Content-Type:
Virus(es):
Additionally, the beginning of the subject line has "***** VIRUS REMOVED / ENTFERNT *****" added to it. No further steps are required, provided that you do not do anything with the e-mail except than deleting it.
The e-mail is unrecognised spam
If you receive an unwanted e-mail that has not been recognised as spam by the system, and marked as such, you should forward the e-mail to the spam filter. This allows the spam filter to be trained to recognise the new type of spam.
It is critical that the original e-mail is forwarded as an attachment to spam@access.ironport.com. Simply forwarding the e-mail as text is not sufficient!
Spam such as advertising and simple hoaxes, that does not pose a technical threat, does not necessitate any further steps after it has been forwarded. The messages can then be deleted.
The e-mail is an unrecognised phishing e-mail or contains an undetected virus
Unrecognised malicious e-mails are likely to have been sent to multiple recipients as spam. It is likely that some of the other recipients have been tricked by the e-mail, so it is important that the e-mail is reported to the IT-ServiceDesk as early as possible to limit the damage.
Please report the malicious e-mail by sending it as an attachment to servicedesk@itc.rwth-aachen.de and spam@access.ironport.com. The e-mail can then be analysed and countermeasures can be enacted. Simply forwarding the e-mail as text is not sufficient.
Blog posts: