Humboldt-Universität zu Berlin - Computer and Media Service

As described in the introduction to email at HU, each email has two senders: the sender used on the communication path (Envelope From or Envelope Sender) and the name and email address displayed by the email client (From or Sender).

For HU senders, From and Envelope From are usually identical and end with @hu-berlin.de or @sub.hu-berlin.de, with 'sub' being a common subdomain at HU. For mailing lists operated at HU, a specific Envelope From is used.

Possible indicators of malicious emails:

• From and Envelope From do not match
• The name and email address (or Envelope From) of the sender do not match
• Envelope From is empty
• From and Envelope From use different domains/email providers
• The email is not addressed to you
• A Reply-To is set that has no contextual relevance to the email
• You have no relation to the sender, recipient, or Reply-To
• A very large number of recipients
• Your own email address is listed as the sender

In many cases, malicious emails can be identified by the subject line. Possible indicators include:

• Non-descriptive subject lines, such as "Update" or "Information" without further context
• Greetings in the subject line
• Emails without a subject or only "Re:" or "Fwd:"
• Expression of urgency
• Emojis in the subject line

As mentioned, malicious emails try to simulate various scenarios to trick recipients into revealing login credentials or responding to emails in other ways. The content or intent of a suspicious email should always be considered together with the language used and your expectations.

Examples of phishing:

• Storage space or quota for your email account is exhausted
• The email address or account needs improvement or requires an update/upgrade
• The account must be "confirmed" to continue using it
• A new or different system is being introduced or "the system" is being updated
• New security procedures are being introduced
• "Unusual activities" have been detected
• Emails are being held back

Examples of scams:

• Your device has allegedly been hacked
• You have an outstanding payment
• Questions about availability from your supposed supervisor
• "Donations" from dubious sources like inheritances, lotteries, or other charitable donations
• Held or undelivered packages
• Supposed responses to emails you never sent
• Warnings about topics not under your responsibility

Phishing emails typically contain links to websites that request your login credentials. These sites often feature a more or less well-faked login page for, for example, a webmail application or even a request without any information. If these are not immediately noticeable, you can check where this website is located.

Links or URLs have a fixed structure. The most common form is http://host/path or https://host/path.

"host" indicates on which server a website is located. "path" describes where on this server the website to be opened is located.

"host" consists exclusively of letters, numbers, hyphens, and periods. Slashes ('/') are not valid characters for hostnames, meaning the first slash after the hostname forms the separator between the host and the path. Additional special characters and slashes are allowed in the path. Furthermore, hostnames follow the hierarchical structure of the Domain Name System (DNS). The period serves as the separator between the different levels in this hierarchy. The levels are sorted from specific to general. The most specific level is on the far left in the hostname. The most general level is on the far right, before the first slash or the beginning of the path.

At HU, we use the domain hu-berlin.de, so the subdomains and hostnames used at HU end with hu-berlin.de. HU will never ask you to enter your login credentials on a website outside of hu-berlin.de or to disclose your login credentials in any other way!

Example of a correct URL:

https://webmail.cms.hu-berlin.de/roundcubemail/

Examples of incorrect or phishing URLs:

https://webmail-cms-hu-berlin.de/roundcubemail/

https://webmail.cms-hu-berlin.de/roundcubemail/

https://webmail.cms.hu-berlin.de.example.com/roundcubemail/

https://example.com/webmail.cms.hu-berlin.de/roundcubemail/

In HTML emails, it may be that questionable URLs are "disguised" by displaying a different URL. In most email clients and web browsers, you can see the actual URL by hovering your mouse over the corresponding link. Additionally, current web browsers highlight the domain in the address bar, making it easier to recognize.

Malicious emails often stand out due to poor language or unusual expressions. Sometimes, these are written in foreign languages not typically used for official emails at HU.

In particular, scam and phishing attempts often try to create a sense of urgency. This is expressed through the wording of the emails, as well as very short deadlines, usually only a few days. This urgency is accompanied by the threat of immediate consequences and is intended to encourage hasty action.

Other indicators include:

• vague or nebulous wording
• missing or broken umlauts
• special characters not typical for the language used
• inconsistent formatting
• an overall appearance of an allegedly official email that seems careless

One of the most important criteria for identifying harmful emails is the question of whether you should receive them at all if they were legitimate.

Typical scenarios for emails you should not receive:

• Notifications about services or software that we do not use or offer at HU
• Notifications that your mailbox has exceeded its quota
• Notifications about "held back" emails or emails in quarantine
• Notifications about expired or "pending" domains
• Notifications about outstanding payments
• Notifications about "held back" packages
• Emails from service providers (e.g., banks) where you are not a customer
• Emails from service providers to your HU account, even though you are registered there with your private email address

If a sender has signed an email, you can verify both the authenticity and integrity of that email using a correct signature. For more detailed information, please refer to the FAQ of the HU-PKI.

Each time an external mail server connects to HU, the IP address of the connecting server is checked. If the address is on one of the used blocklists, the connection is rejected before the sender and recipient of a potentially sent message are known. If a server's reputation is too poor, the connection is also rejected. In both cases, the mail server of the other party sends a Delivery Status Notification (the exact term depends on the mail server) to the sender, informing them of the reason for non-delivery.

If the delivering mail server has a poor—but not too poor—reputation, the accepted mail volume is limited. If the limit is exceeded, further connections are temporarily rejected, meaning delivery can be attempted again at a later time.

Similarly, the IP addresses of HU mail servers are checked when an email is sent from HU to an external provider. If HU is listed on a blocklist or has a poor reputation, communication with other institutions will be significantly impaired.

Blocklists and reputation databases are dynamically managed, so their content is constantly changing. It can happen that mail traffic with another institution temporarily stops. Usually, this only lasts a few days.

The HU virus filter distinguishes between emails sent from outside to HU and those sent by users at HU.

If malware is detected in an incoming email from outside, the email is discarded (i.e., not delivered), and a message is generated to the target address informing them about the detected malware and the resulting non-delivery. Since sender addresses are often forged, no notification is sent to the sender.

If malware is detected in an email sent from HU, the email is also discarded, but the sender is notified.

Emails that are not already stopped earlier go through the spam filter. If an email is classified as spam, an additional header "X-Spam-Flag: YES" is added. Emails marked with a spam flag can be automatically sorted into a separate folder in your mailbox.

Since a clear distinction between spam and legitimate, desired emails is not always possible, it can happen that emails are incorrectly classified as spam.

In addition to the spam filter, emails are checked for known phishing campaigns and patterns based on various criteria. This includes, in particular, known senders and subject lines. Emails classified as phishing are delivered to the recipient in the form of a warning email. The actual email is attached to the warning.

If an email sent from HU is classified as phishing, a warning is sent to the sender, but the email itself is not processed further.

Since phishing emails try to imitate legitimate emails, it can happen that actually legitimate emails are marked as phishing. Depending on the sender and context, we do not always have a meaningful way to distinguish real emails from phishing emails.

In addition to filtering emails, we block access to websites used for phishing within the HU network. Instead, a redirection to a warning page occurs.