Humboldt-Universität zu Berlin - Computer and Media Service

Humboldt-Universität zu Berlin | Computer and Media Service | Services | Communication services | email | Spam, Scam, Phishing, and other unwanted Emails

Spam, Scam, Phishing, and other unwanted Emails

Unwanted emails are often generally referred to as spam, but they can be categorized into different types based on their intent.

Spam typically refers to mostly harmless but annoying advertising content of various forms.

Scam emails aim to deceive, for example, by demanding ransom for allegedly stolen data.

Phishing attempts to trick recipients into revealing their login credentials or other personal information. Captured login credentials can then be used to send malicious emails or launch other attacks with the newly acquired privileges. A classic example is emails requesting account confirmation to prevent it from being blocked.

A clear distinction between types of malicious emails is not always possible. Sometimes, identity theft is used to disguise scam or phishing attempts, making them more believable to recipients. Phishing emails are often sent in the name of supposed IT support.

Additionally, all types of unwanted emails can be used to spread viruses and other malware.

The motivation behind unwanted emails generally depends on their type but is not always apparent. In the case of phishing, universities and other institutions offer a lucrative target because captured accounts can exploit the existing and usually good reputation and internet connectivity.

Identifying Unwanted Emails

Malicious emails can be identified based on various indicators:

  • Sender, recipient, reply address (Reply-To)
  • Subject
  • Content
  • Links
  • Language and phrasing
  • Expectations
  • Cryptographic signatures

There are numerous scenarios where a legitimate email may meet one or more of the following criteria, so they should not be considered as standalone indicators. Instead, it's important to piece together the "right" picture using various indicators to assess the legitimacy of an email.

If in doubt, you can always contact the CMS user support regarding emails received at your HU account. Attach the suspicious email or forward it as an attachment.

Sender, Recipient, Reply-To 🖉

As described in the introduction to email at HU, each email has two senders: the sender used on the communication path (Envelope From or Envelope Sender) and the name and email address displayed by the email client (From or Sender).

For HU senders, From and Envelope From are usually identical and end with @hu-berlin.de or @sub.hu-berlin.de, with 'sub' being a common subdomain at HU. For mailing lists operated at HU, a specific Envelope From is used.

Possible indicators of malicious emails:

  • From and Envelope From do not match
  • The name and email address (or Envelope From) of the sender do not match
  • Envelope From is empty
  • From and Envelope From use different domains/email providers
  • The email is not addressed to you
  • A Reply-To is set that has no contextual relevance to the email
  • You have no relation to the sender, recipient, or Reply-To
  • A very large number of recipients
  • Your own email address is listed as the sender
Subject 🖉

In many cases, malicious emails can be identified by the subject line. Possible indicators include:

  • Non-descriptive subject lines, such as "Update" or "Information" without further context
  • Greetings in the subject line
  • Emails without a subject or only "Re:" or "Fwd:"
  • Expression of urgency
  • Emojis in the subject line
Content 🖉

As mentioned, malicious emails try to simulate various scenarios to trick recipients into revealing login credentials or responding to emails in other ways. The content or intent of a suspicious email should always be considered together with the language used and your expectations.

Examples of phishing:

  • Storage space or quota for your email account is exhausted
  • The email address or account needs improvement or requires an update/upgrade
  • The account must be "confirmed" to continue using it
  • A new or different system is being introduced or "the system" is being updated
  • New security procedures are being introduced
  • "Unusual activities" have been detected
  • Emails are being held back

Examples of scams:

  • Your device has allegedly been hacked
  • You have an outstanding payment
  • Questions about availability from your supposed supervisor
  • "Donations" from dubious sources like inheritances, lotteries, or other charitable donations
  • Held or undelivered packages
  • Supposed responses to emails you never sent
  • Warnings about topics not under your responsibility
Links to Unknown Websites 🖉

Phishing emails typically contain links to websites that request your login credentials. These sites often feature a more or less well-faked login page for, for example, a webmail application or even a request without any information. If these are not immediately noticeable, you can check where this website is located.

Links or URLs have a fixed structure. The most common form is http://host/path or https://host/path.

"host" indicates on which server a website is located. "path" describes where on this server the website to be opened is located.

"host" consists exclusively of letters, numbers, hyphens, and periods. Slashes ('/') are not valid characters for hostnames, meaning the first slash after the hostname forms the separator between the host and the path. Additional special characters and slashes are allowed in the path. Furthermore, hostnames follow the hierarchical structure of the Domain Name System (DNS). The period serves as the separator between the different levels in this hierarchy. The levels are sorted from specific to general. The most specific level is on the far left in the hostname. The most general level is on the far right, before the first slash or the beginning of the path.

At HU, we use the domain hu-berlin.de, so the subdomains and hostnames used at HU end with hu-berlin.de. HU will never ask you to enter your login credentials on a website outside of hu-berlin.de or to disclose your login credentials in any other way!

Example of a correct URL:

https://webmail.cms.hu-berlin.de/roundcubemail/

Examples of incorrect or phishing URLs:

https://webmail-cms-hu-berlin.de/roundcubemail/

https://webmail.cms-hu-berlin.de/roundcubemail/

https://webmail.cms.hu-berlin.de.example.com/roundcubemail/

https://example.com/webmail.cms.hu-berlin.de/roundcubemail/

In HTML emails, it may be that questionable URLs are "disguised" by displaying a different URL. In most email clients and web browsers, you can see the actual URL by hovering your mouse over the corresponding link. Additionally, current web browsers highlight the domain in the address bar, making it easier to recognize.

Language/Expression 🖉

Malicious emails often stand out due to poor language or unusual expressions. Sometimes, these are written in foreign languages not typically used for official emails at HU.

In particular, scam and phishing attempts often try to create a sense of urgency. This is expressed through the wording of the emails, as well as very short deadlines, usually only a few days. This urgency is accompanied by the threat of immediate consequences and is intended to encourage hasty action.

Other indicators include:

  • vague or nebulous wording
  • missing or broken umlauts
  • special characters not typical for the language used
  • inconsistent formatting
  • an overall appearance of an allegedly official email that seems careless
Expectation: Do you expect such an email? 🖉

One of the most important criteria for identifying harmful emails is the question of whether you should receive them at all if they were legitimate.

Typical scenarios for emails you should not receive:

  • Notifications about services or software that we do not use or offer at HU
  • Notifications that your mailbox has exceeded its quota
  • Notifications about "held back" emails or emails in quarantine
  • Notifications about expired or "pending" domains
  • Notifications about outstanding payments
  • Notifications about "held back" packages
  • Emails from service providers (e.g., banks) where you are not a customer
  • Emails from service providers to your HU account, even though you are registered there with your private email address
Cryptographic Signatures 🖉

If a sender has signed an email, you can verify both the authenticity and integrity of that email using a correct signature. For more detailed information, please refer to the FAQ of the HU-PKI.

Spear Phishing and Social Engineering

Most phishing attacks are general and target an undefined group of recipients. Spear phishing is specifically tailored to certain recipients and uses more specific information to enhance the appearance of legitimacy.

Social engineering refers to manipulative behavior aimed at obtaining confidential information or persuading a person to perform certain actions. This can also include disclosing confidential information or granting permissions that attackers would not otherwise have.

Both are not always immediately recognizable and may only become apparent once an attacker has achieved their goal. Spear phishing and social engineering are therefore difficult to detect or prevent through technical measures.

Countermeasures by CMS

As part of the email operations at HU, various measures against unwanted emails are implemented, including:

  • Conventional blocklists
  • Reputation databases
  • Virus filters
  • Spam detection and classification
  • Filtering for known phishing campaigns

Depending on the classification, incoming emails are:

  • Rejected before acceptance on the server
  • Discarded and a warning about detected malware sent to the target address
  • Delivered as an attachment to a phishing warning
  • Marked as spam and delivered

Emails classified as harmless are also delivered.

Blocklists and Reputation Databases 🖉

Each time an external mail server connects to HU, the IP address of the connecting server is checked. If the address is on one of the used blocklists, the connection is rejected before the sender and recipient of a potentially sent message are known. If a server's reputation is too poor, the connection is also rejected. In both cases, the mail server of the other party sends a Delivery Status Notification (the exact term depends on the mail server) to the sender, informing them of the reason for non-delivery.

If the delivering mail server has a poor—but not too poor—reputation, the accepted mail volume is limited. If the limit is exceeded, further connections are temporarily rejected, meaning delivery can be attempted again at a later time.

Similarly, the IP addresses of HU mail servers are checked when an email is sent from HU to an external provider. If HU is listed on a blocklist or has a poor reputation, communication with other institutions will be significantly impaired.

Blocklists and reputation databases are dynamically managed, so their content is constantly changing. It can happen that mail traffic with another institution temporarily stops. Usually, this only lasts a few days.

Virus Filter 🖉

The HU virus filter distinguishes between emails sent from outside to HU and those sent by users at HU.

If malware is detected in an incoming email from outside, the email is discarded (i.e., not delivered), and a message is generated to the target address informing them about the detected malware and the resulting non-delivery. Since sender addresses are often forged, no notification is sent to the sender.

If malware is detected in an email sent from HU, the email is also discarded, but the sender is notified.

Spam Filter 🖉

Emails that are not already stopped earlier go through the spam filter. If an email is classified as spam, an additional header "X-Spam-Flag: YES" is added. Emails marked with a spam flag can be automatically sorted into a separate folder in your mailbox.

Since a clear distinction between spam and legitimate, desired emails is not always possible, it can happen that emails are incorrectly classified as spam.

Phishing Filter 🖉

In addition to the spam filter, emails are checked for known phishing campaigns and patterns based on various criteria. This includes, in particular, known senders and subject lines. Emails classified as phishing are delivered to the recipient in the form of a warning email. The actual email is attached to the warning.

If an email sent from HU is classified as phishing, a warning is sent to the sender, but the email itself is not processed further.

Since phishing emails try to imitate legitimate emails, it can happen that actually legitimate emails are marked as phishing. Depending on the sender and context, we do not always have a meaningful way to distinguish real emails from phishing emails.

In addition to filtering emails, we block access to websites used for phishing within the HU network. Instead, a redirection to a warning page occurs.

Countermeasures for Users

As a user, you can also take active steps to protect yourself and all other members of HU from unwanted emails.

The first and simplest step is to activate the automatic spam filter. This ensures that emails already marked as spam are automatically delivered to the AutoCleanSpam folder. However, you should still regularly check this folder to avoid overlooking any misclassified emails.

The most important measure for you as a user is to carefully read emails based on the previously mentioned criteria. If you are ever unsure, you can always contact the CMS user support.

The same applies if you receive spam or phishing emails. Please forward the relevant messages to us, and we will try to improve our filtering measures. However, as with detection, there is no guarantee that similar emails will not occur in the future, as the senders of unwanted emails continuously develop their campaigns.

If you are asked via email to disclose your account and password, and possibly other personal data, then ignore this request!

If you are unsure, contact our user support. Please also encourage people in your environment to adopt this approach!

The only reason for a personal email of similar content from CMS to you is the reminder about the expiration of your password. Since your password is always valid for one year, you can always estimate the expected date based on your last password change. You will receive this reminder four weeks before the expiration date and additionally one week before the deadline. We do not ask you to send us your password in this email. Furthermore, these emails do not contain a direct link to the password change form.

The validity of the password can also be viewed via the account info.

If you do not comply with this genuine request, you will not lose anything: your data will not be deleted, and emails will continue to be delivered. You can still contact us (user support) and have the account reactivated.

Procedure in Case of Disclosure of Access Data

Falling for phishing or other harmful emails can have various reasons. Especially in stressful situations, such emails can be difficult to recognize.

If you find yourself in this situation, always remember: everyone makes mistakes, and you do not need to hide it. If you realize that you have entered your HU account access data on a phishing website or shared it in any other way, please change your password immediately! Additionally, feel free to contact us (user support), and we will assist you with further steps and provide tips on handling future phishing attempts.

Consequences of Successful Phishing Attacks

A single compromised account with a password is sufficient to launch a new phishing or spam wave within minutes. The result is a disruption of email traffic for the entire university. In the worst case, this can last for many days because the reputation of our servers, through which the emails are sent, significantly deteriorates. Legitimate and previously problem-free emails are then no longer deliverable, making communication with other institutions considerably more difficult.

As a side effect, phishers with a compromised account and password have access to the entire mailbox, all data associated with the account, and access to portals such as Agnes or Moodle, and possibly even non-university, privately used portals. In most cases, this also means unauthorized disclosure of personal information and thus a data protection violation.

Exceptions to Filter Rules

In principle, it is possible to define exceptions to filter rules, but we try to keep their scope as small as possible.

A defined filter rule always serves to protect all members of HU from unwanted emails. Exceptions to this usually only apply to one or a few senders and recipients and are therefore disproportionate in comparison. In most cases, only individual emails or a specific thread are affected by misclassified spam or phishing emails, not "the sender."

Criteria for exceptions include:

Many recipients are affected
The erroneous classification can be reproduced
There is a sensible pattern for exceptions

Since email senders can be easily forged, we generally do not grant releases for individual addresses.

Further Links
  • Phishing tips from the HU Information Security Team
  • BSI website on spam, phishing, etc.
  • Internet standard for formatting URLs/URIs (RFC 3986)
  • Internet standard for DNS terminology (RFC 8499)
  • Wikipedia on spam, scam, phishing, and social engineering