SPAM and other unwanted messages

Contents:

• The Problem - Unwanted messages - SPAM, Phishing, e-mail viruses, instant message viruses
• Prevention - How to minimize unwanted messages
  • Minimizing reception of unwanted messages
  • Automatically delete "junkmail" messages without reading them
  • Automatically classify and handle messages according to personal preferences
  • Lower the junkmail threshold
• Reaction - Handling SPAM and other unwanted messages when they can't be prevented
• Miscellaneous
  • Issues related to forwarding JMU e-mail to off-campus providers
  • Phishing Fraud
  • How E-mail works ( offsite )

The Problem - Unwanted messages - SPAM, Phishing, e-mail borne viruses, instant message borne viruses, ...

Almost everybody gets them. Messages advertising stock market tips, office supplies and pornographic sites or promising easy money or miracle cures. Messages warning of dire consequences or lost fortunes if the messages aren't forwarded to everyone we know. Scams attempting to fool victims to typing banking information and passwords into fake web sites. They're a nuisance, wasting our time and computing resources. Some are shocking, others are fraudulent and illegal.

SPAM continues to be a growing problem. Malicious and nuisance messages continue to grow in number and sophistication in ways to get past SPAM filters, fool people, and in some cases deliver malware. This situation is not likely to improve in the near future. 600 million people around the world have the ability to send us messages. Anonymity and instant, worldwide communications combined with our desire to be reachable make it impossible to prevent. Anyone can connect a computer to the Internet and send messages. Public computers abound. Unsafely operated computers are abundant and easily used by abusers and criminals. Neither the computer operators, who may be regular home computer users, or the network operators, who may be mass Internet Service Providers, are equipped to handle the notification and cleanup reliably and in a timely manner. While there are laws prohibiting SPAM, they are largely ineffective for a variety of reasons.

Our e-mail system attempts to discriminate between wanted and unwanted messages. Its doubtful that a person could do this this with 100% accuracy. For a machine its impossible. If the machines are configured to be stricter, the chances of losing legitimate messages increase. At peak times, our email system blocks an average of over 240 messages per minute that it has classified as SPAM and thousands of messages per hour that carry viruses.

Criminals and abusive marketers are increasingly using the Internet. Oftentimes, they use virus infected home computers and/or computers in other countries to send the stuff making it easy for them to avoid blocks and prosecution. Various sources estimate that unwanted messages constitute anywhere from 60% to 80% of all Internet e-mail and that the average person receives anywhere from half a dozen to two dozen messages daily.  In the first half of 2005, 5.7 million fraudulent "phishing" messages alone were detected *PER DAY*. There has been a large increase of this type of fraud the past several months and it is expected to continue.

We continue to evaluate our email system for improvements. Buying new anti-spam solutions would require a complete rebuild of our e-mail system and, as yet, there is no guarantee that it would improve the situation. There are a variety of schemes being planned that depend upon partial authentication of senders to allow receiving e-mail servers to make decisions. All these schemes depend a lot on the participation of the majority of Internet e-mail senders and are vulnerable to the use of compromised computers within a domain which is more and more common through the use of 'BOTS'.

And even as we and the rest of the Internet improve our motivation and ability to handle unwanted and abusive e-mail messages, criminals are moving to instant messaging and other technologies to spread their abuse.

Image SPAM - Explanation of those pictures you've been receiving the past several months.

Prevention - How to minimize unwanted messages

In our present environment, it is impossible to prevent people from sending us unwanted messages if they know our e-mail address.

Theoretically, if we assigned staff 24 X 7 to do nothing but watch for this stuff and block it as it came in, we'd put a dent in it. But aside from the resources it would take, it would be a reactive process where messages would still get through even if we searched through individual mailboxes. Additionally, legitimate messages would likely be delayed or lost as we blocked email servers that were unknowingly being used to forward SPAM.

Minimizing reception of unwanted messages

You can minimize unwanted messages by keeping your e-mail addresses private but it is very difficult to do these days and is something a lot of us go out of our way not to do. What good is an address nobody knows about?

• The more your e-mail address is available, the more spam you'll receive. Minimize this availability for your primary e-mail account. Free webmail accounts are available for the asking although you should review the provider's privacy policy before signing up. Use a separate account when possible and appropriate to use for things like:
  • listserv postings
  • newsgroup postings
  • forum postings
  • blog postings
  • signatures
  • web site registrations
  • web site publication
• Minimize the places your e-mail address is published on web sites.
• When you need to publish your e-mail address, make it harder for automated e-mail address harvesters. Disguise it. For example, instead of publishing 'eID@jmu.edu' publish 'eID AT jmu dot edu' or an image and don't make it a hyperlink.
• HTML (web) based e-mail messages can contain "web bugs" that let the sender know when you read their e-mail. When they send you HTML messages, they include a link to an almost invisible graphic image. When your e-mail client or browser reads the message, it fetches the image from the spammers site letting them know a) their message was viewed b) your email address is valid and c) your computer's IP address giving them an idea where you are and what organization you belong to. The only way to prevent this is to disable HTML based e-mail and/or automatic retrieval of images in your e-mail client. In JMU Webmail, go to the Preferences section and click "Block external content until requested".
• Some web browsers will provide your e-mail address to web sites that you visit. You can check to see if your web browser gives out your e-mail address by visiting http://www.junkbusters.com/cgi-bin/privacy

Unfortunately, there are many ways spammers and criminals can get our e-mail addresses that are beyond our control.

Automatically delete "junkmail" messages without reading them

If you get tired of hitting the delete button, you can configure your personal e-mail preferences to delete messages classified as "junkmail" by our e-mail server.

The JMU e-mail server is configured to deliver messages it considers SPAM to the junkmail folder. The classification process is not, and can not be, perfect. There will be false positives and negatives. If however, your junkmail folder never has legitimate messages in it or you simply choose not to read it, you can configure your JMU e-mail account to delete messages identified as SPAM instead of having them placed in the junkmail folder. To do this,

• go into JMU Webmail
• click Options
• click Junk Mail Control
• click Junk Mail Filter.
• Under Select a Filter Action
  • click the Discard button

Note that if legitimate messages are classified as SPAM by the e-mail server, this configuration will result in lost legitimate messages.

Automatically classify and handle messages according to personal preferences

If you are unhappy with the way our e-mail system classifies messages, you have the ability to modify it to match your personal needs and preferences in ways that are impractical to do for the entire population. JMU Webmail, Outlook, and most other e-mail services and clients include functionality that allows individuals to set up custom filters and actions. Filters allow you to screen messages based on text found in the messages' sender, subject, body, and other fields and take actions such as delete them, put them in a specified folder, or flag them in some way.

These personalized e-mail message filtering rules allow to you be as stringent as you want in blocking incoming messages. You can apply filters that are impractical when applied to the mailboxes of 30,000 diverse people. If you want to reject all messages containing the words "chase bank", "$20 reward", "to whom it may concern", "viagra", "penis", "paypal", "stock symbol", "free pics", and/or "ebay" you're free to do so. Just make sure you consider what types of legitimate messages may be blocked if you do so.

Be very careful with the parameters you select for filtering lest they match messages you really want. Use these guidelines before setting a filter to delete messages:

• The longer and more unique the text the filter is set to match, the more accurate the filter is likely to be.
• At first, set the filter to move matching messages to a folder rather than delete them. That way you can see what type of messages will be deleted. You can switch to delete after you're comfortable with the message selection process. Let it run at least a week, preferably two before setting it to delete messages unless you're really sure of the selection pattern you picked.
• Always send yourself some test messages after creating or modifying a filter. Make sure you understand what your filter is doing.

In JMU Webmail, you get to the filtering setup by clicking Options on the left then clicking Message Filters at the top. In Outlook 2002, click the Tools menu and then Rules Wizard. Use the Help feature in your e-mail client or JMU Webmail for more information.

You can set up filters in your e-mail account, in which case the filters will work from whatever computer you are using. Or, you can set up filters in your e-mail client ( e.g. Outlook ), in which case the filters will only be active when you use the particular computer on which you set them up.

Lower the junkmail threshold

This option is not recommended without significant testing and is included here for completeness. Besides filtering messages based on your own criteria, you can also lower the threshold at which our mail system moves messages to the junkmail folder. The mail system scores each message based on many measurements. If the score is 50 or above, it is considered spam and is delivered to the junkmail folder rather than the inbox. The mail system adds a header with the message's score. You can create an individual message filter that looks at that header and treats the message as you see fit at any score value, 40 for example. Use the instructions above for creating a message filter. Set it up to use the UCE junkmail score as the condition. Of course, you can combine the message score with other conditions if you wish to fine tune it.

UCE junkmail scores on existing messages can be seen by examining the full email headers. Messages appearing to be from @jmu.edu senders are white-listed. That is, anti-SPAM rules do not apply to them so the UCE junkmail score will not appear in those messages.

Reaction - Handling SPAM and other unwanted messages when they can't be prevented

Given the nature of today's Internet and e-mail, it is almost inevitable that you will receive unwanted messages. Malicious messages intended to deceive us are also on the rise. Due to their increasing sophistication, it is difficult to provide specific guidance without a very long list of complicated and conflicting rules that may or may not apply. The best general advice for minimizing risk due to malicious messages is:

• If you receive a message that poses immediate danger to health or welfare, contact law enforcement. Do not delete the e-mail.
• Do not click links or attachments of any type in unexpected e-mail or instant messages when:
  • There are no serious consequences if you don't act on the message. For example, cold sales calls, jokes, games, holiday cards, chain letters, and news items. If the news items are of interest, go to a known good web site for the information rather than clicking the link in the message.
  • The message involves sensitive information. For example, finance, account passwords, SSN, computer updates and security, and health information. In these cases, it is best to navigate to a known good web site, preferably one that has been previously used, and verify the information.
• If in doubt, contact the apparent sender for verification.
• If you click a link in an e-mail or instant message and your browser warns you of risk, do not ignore the warning. Do not proceed. Cancel the action. The best way to do this is by clicking the Close button in the uppermost right-hand corner of the warning or window. This is usally displayed as a 'X'. Be sure to click the uppermost corner as some sites will display fake windows and Close buttons which act as if the OK button was clicked. On Windows computers, typing Alt-F4 will close the active window. Assuming the message was expected and the sender known to you, ask them why you are getting this warning. If there is any doubt in the validity of the message or sender, do not proceed. Ask for assistance.
• If you fall victim to a "phishing" scam, that is, you type your banking, stock trading, paypal, password, or other sensitive information into a fake web site, follow the instructions for victims listed on the main computing security page under scams.

The most efficient and safe way to handle SPAM is to delete it. Never reply to it, click on any links, or follow instructions about removing yourself from a list. Doing so informs the SPAMMER that they've found a live mail box and you may find yourself getting more e-mail than before.

Refusing to purchase products advertised in SPAM may reduce motivation.

If you receive messages with images that offend you, most IMAP e-mail clients can be configured so they do not display images or display messages in text rather than HTML, the language of the web that supports images. This also reduces malware risk but obviously reduces functionality.

Images depicting child pornography can be reported to law enforcement or the National Center for Missing and Exploited Children who will forward the complaint to law enforcement. You'll need to copy and paste the mail headers into the form.

If you use the JMU e-mail server, you can report the SPAM that is not properly classified as junkmail to our e-mail vendor. This may enable them to improve their anti-spam services:

• Reporting a SPAM message that ends up in your inbox ( i.e. doesn't get classified as junkmail and put in your junkmail folder):
  • Obtain the full message headers and forward them and the message to dl-rpd-fn@mirapoint.com.
• Reporting legitimate messages that get classified as junkmail. ( DO NOT FORWARD MESSAGES CONTAINING SENSITIVE INFORMATION ):
  • Obtain the full message headers and forward them and the message to dl-rpd-fp@mirapoint.com.

Various law enforcement agencies have set up e-mail addresses where SPAM and other objectionable messages can be sent.

• General SPAM can be sent to the U.S. Federal Trade Commission at spam@uce.gov. They will need the full e-mail headers to take any action. If you use JMU webmail, the headers will be included automatically if you just forward the SPAM to spam@uce.gov. If you use another e-mail client or service, refer to these instructions on obtaining the full e-mail headers.
• If you get messages offering large amounts of money for help in getting funds out of another country, you can forward them with full e-mail headers to the United States Secret Service at 419.fcd@usss.treas.gov . These are very common and referred to as 419 fraud schemes.

You can also try complaining to the network hosting the sending computer though this is often ineffective. One service that tries to make this easy is SpamCop. However, this has limited success as many ISPs do not enforce adequate Appropriate Use Policies, some SPAM is sent through unrelated, inadequately managed servers, some spammers forge the mail headers, and some spammers move from place to place as they're discovered.

If you receive a message that warns of a deadly new virus, offers advice on configuring a computer to prevent viruses, or offers a patch, please check with official support staff, hoax information sites, or the JMU Computer Security Hot Topics page before following its instructions or forwarding it. There are many virus related hoaxes. Some just cause needless concern and mail traffic. Others offer damaging advice or actually deliver a virus.

Delete all chain letters without forwarding them.

If you are being "mail bombed", that is, someone is filling your mailbox intentionally with hundreds of messages, contact the JMU Computing Helpdesk at 568-3555 or helpdesk@jmu.edu.

Miscellaneous

If you are curious how computer software tries to determine whether a message is SPAM or not, the tests performed by a product called SpamAssassin are described here.

Issues related to forwarding JMU e-mail to off-campus providers

When you forward your e-mail to third party providers, be careful of complaining about SPAM. For example, if you read e-mail using an AOL account and you click the AOL 'spam' button, AOL looks to see who sent the message. If the number of SPAM complaints goes above a threshold, the sender will be blocked from sending further messages to all AOL accounts.

• If someone spams your JMU e-mail account and you've set the account to forward to your AOL account, the message will be forwarded by the JMU e-mail server to your AOL account. Unfortunately, at that point it looks to AOL as if JMU was the spammer. If too many people complain, JMU will get blocked from AOL and you will no longer receive any e-mail through your JMU e-mail account.
• Apparently, the 'save' and 'spam' buttons on the AOL client are in close proximity leading to lots of people hitting the wrong button. People are hitting the SPAM button which again may result in JMU not being able to send e-mail to AOL.

When you read and send e-mail using the JMU e-mail system with a browser or properly configured e-mail client, your sessions are encrypted between your desktop and our e-mail server. As long as the messages are sent between people using the JMU e-mail system, the messages are protected from prying eyes on the wire. Once the message leaves the JMU e-mail system, anyone with access to the wires or interim e-mail servers can view the messages.

Phishing Fraud

Attempts to trick people into providing account numbers, passwords, and other sensitive information through fraudulent e-mail and web sites is becoming commonplace. Symantec reported 7.5 million of these messages were sent per day in the first half of 2005. If you haven't seen these, take a look at recent examples shown at http://www.fraudwatchinternational.com/phishing/index.php to see how easy it is to fake e-mail and web sites. Do not provide sensitive information or install software based solely on the information in an e-mail or instant message. Verify. More information on phishing and general electronic communications fraud is located on the main JMU computing security page.