Spam & Scams

Revised Mar 7 2005
This webpage is a compilation of resources for dealing with email spam problems, some general and some specific to certain email clients.

Protect yourself from phishing!
• Chain letters, email fraud and spam are moving targets, but we will make every effort to keep this webpage current. Please send Spam Abuse any suggestions.
• Take advantage of the spam-fighting capabilities of SpamAssassin.
• UA has many email servers; CCIT's Abuse Administrator can only filter/block email addressed to email.arizona.edu and u.arizona.edu. However, you should report all perceived spam there and the administrator will notify appropriate email-server administrators on campus.
• When you receive spam at your email.arizona.edu / u.arizona.edu account, report it to the Abuse Administrator--regardless of whether you try to filter it yourself or report it to other agencies--so that new defensive measure can be taken for UA email.
• UA's Email Administration contacts ISPs from which the mail is sent but does not contact law enforcement agencies on your behalf--you would need to do that and there are instructions below, where appropriate.

Setting up your WebMail filters	Report spam to UA Abuse Administration
Filtering Korean/Chinese at the server	Filtering Korean/Chinese spam with Outlook
Report identity theft	$5 "Reports" chain letter
Nigerian spam	Money-soliciting chain letters
What to report to the     US Secret Service	What to report to the     Federal Trade Commission
Get help from     UA Abuse Administration	Report stock and internet     investment fraud to the SEC

Phishing

Phishing is an online scam that uses a replica of a familiar webpage or email address to 'spoof' or fool you into submitting personal information. See the phishing webpage for details and safeguards.

Filtering Techniques

Many email clients, servers and ISPs provide filtering ability. Filtering can often be done at one or all locations.

• Placing your filters actually on the UA email server is the preferred way/place and you use WebMail to do it. Filtering using WebMail is simple and straightforward. The only limitation of server-side filtering for your account is that any email forwarding that you might do will occur before the filter is executed.
• The new (July 2003) email.arizona.edu system has SpamAssassin integrated into it. This offers some special enhanced capabilities to help you easily identify and manage spam.
• A limitation of a client-side filter is that it cannot function if you occasionally use WebMail to read your email or you read your mail from more than one location.
• Filters installed at either location must be used with caution. For instance, in the case of the Korean character-set example used later, a filter can trap all incoming Korean email to you--both desirable messages from Korea in Korean and spam. (This is also why this filter cannot be set up system-wide by Email Administration.)

Two common items used as the basis for any filtering are

• the originating address of an email (this is very easy to set up)
• the character set

Filtering with WebMail

• Filtering only serves a purpose if you get multiple messages from the same address.
• Many spammers vary the From: address with each mailing which makes them impossible to filter. It wastes your time to set up a filter that would only be used once.
• If you normally use an email client other than WebMail, you should be logged off that client before you begin working with WebMail.

See the filtering techniques made possible with SpamAssassin.

One way to do WebMail address filtering is to type addresses into a Blocked List.

1. Click the Blocked List icon (it shows up in numerous places).
2. In the Blocked List window that opens, enter the email addresses that are to be rejected (in the format gnat@spammer.con). You may use wildcards in the addresses.
3. Choose whether rejected email is to be deleted or automatically moved to a special folder that you have set up to hold these messages. Until you are certain that the Blocked List rule is functioning correctly, it is best to hold rejected files in a folder so you can examine them.(This special folder needs to be set up, under Mail functions, before it will appear and be usable in Blocked List's folder pulldown.)

   

4. Save the rule.

Another way to make Blocked List entries occurs as you read your email

1. Read an email with an originating address you would like to reject in the future.
2. Click on Block Sender and that email address will be added to those in your Blocked List rule.

   

You can set up Filter Rules to do even fancier processing. It is slightly more complicated but safer and gives you more control. Using Filters allows you to reject based on address like Blocked List does, but also do other kinds of WebMail filtering like

• filter on a field other than the sending address like size, attachment name, etc.
• choose another action besides rejecting the email

Other fields in this form may be used for filtering like in this advanced technique example or by contacting the Abuse Administrator who can help you install a nonstandard filter.

Choose a destination ("Do this") for the email. At least initially, store rejected email in a special mailbox (folder). One called Bad-Email could be used as a special holding area until you're confident that your filters work properly. The folder must be created within WebMail under the Mail function prior to using it as a destination.

When the destination you choose is Deliver to this mailbox, you are given additional options of selecting a mailbox from the list of those WebMail knows and flagging ("marking") the message, like as "Deleted". You must choose a mailbox folder but marking the mail is optional.

After you have checked the contents of your Bad-Email folder for a while and are satisfied with the integrity of your filter(s), you can change the filter rule to set Do this: to Discard and the email would never show up in your mailbox!

You can make filtering more efficient by checking the Stop checking if this rule matches box (at the bottom) so that processing stops just as soon as a match is made. (As you add a filter criterion within a rule, you are presented with boxes for additional filter criteria that must be met.) Note that even if Stop checking... is selected, any filtered mail will be delivered to your Inbox unless you choose an option under Do this: like Discard or Deliver to this mailbox.

Because filters set up in Webmail take effect before the mail ever enters the Inbox, these filters will work regardless of where or with which mail programs (like Outlook, Eudora, etc.) you read your mail.

Other Email Clients

Filtering techniques vary by email client and by spam origin, but the Chinese/Korean filtering technique directly below might be useful as a model to craft filters for other sorts of spam which show an identifiable pattern in the header or in the body. If you use any mail client that lets you create rules based on the contents of the message headers, and you're bothered by spam, create rules that move or delete the messages.

If your email client cannot be configured, you can forward the mail with fully expanded headers to CCIT's Email Abuse Administration.

Reporting Spam and Getting Help at UA

Here's what to do to expand email headers:

• In Webmail expand the headers by clicking on Headers: Show All Headers.
• In Pine, use the H command to expand the headers.
• Instructions for expanding the headers for other mailers are at http://spamcop.net

After you expand the headers, forward the email to abuse@email.arizona.edu.

Note that Abuse Administration at UA does not file complaints with the Federal Government on your behalf but it does contact the originating ISP where possible.Therefore, spam complaints need to be timely. A week or two after the fact, the spam is "old news" at the originating site. They've already dealt with the spammer if they are going to and the spammer has probably already moved on.

UA has many email servers on campus and CCIT's Abuse Administrator can only filter/block email addressed to email.arizona.edu and u.arizona.edu. You should, however, report all perceived spam there and the Abuse Administration will notify the appropriate email-server administrators on campus.

Filtering for Korean and Chinese Spam on Outlook 2002

Note that this will not function when reading your email from WebMail.

Thanks to Joellen Windsor (CCIT) and Henry Norr (SF Chronicle, 7.29.2002).

This excerpt tells how to set up filters in Outlook 2002 for several different common Asian character sets. It filters for phrases in the message header.
• In the program's main window, go to the Tools menu and select Rules Wizard.
• In the Wizard window click New.
• Select Check messages when they arrive and click Next.
• Scroll down until you find the option labeled "with specific words in the message header". Click in the checkbox to the left of it.
• At the bottom of the window you'll see a rule description with "specific words" underlined. Click on that phrase and enter the following: charset="ks_c_5601-1987"--including the quotation marks.
• Click OK, then Next and tell the Wizard what you want the rule to do with the messages it traps. To play it safe, make your rule move such messages to your Deleted Items folder or a special holding pen you create.
• Set any exceptions, name the rule, click Finish, then OK
• To look at the headers, columnist Norr says: open the message and choose Options from the View menu.
• Just to be safe, Norr suggests additionally setting charset=KS_C_5601-1987 (without quotation marks) and charset="euc-kr" (with and without quotation marks) and charset="gb2312" which is a traditional Chinese character set.

Nigerian Email Fraud

The United States Secret Service has formed a task force recently to investigate this fraud which is called the Nigerian 'Advance Fee' Fraud or the 419 Fraud, referring to the section of the Nigerian penal code which addresses fraud schemes.

The Treasury Department has a website documenting this Nigerian fraud scheme but the site only has a fax number for reporting. Instructions for reporting these by email are covered at a site maintained by a Coalition against the Nigerian scam. They list an email address for Task Force Main DC which goes to 419.fcd@usss.treas.gov. If you would like to report this spam to the proper authorities, read the SS's and Coalition's websites which are very interesting.

If you do decide to report, read the Coalition's instructions, please. It will be easier to forward the messages to 419.fcd@usss.treas.gov rather than try to cut and paste into the webpage link. Also, be sure to send them the expanded mail headers.

Reporting to the Secret Service

See the Nigerian section, above.

Reporting to the Securities and Exchange Commission

The SEC has an Internet Enforcement Program. You can report stock pumping and other illegal securities offers to the SEC by forwarding the email offer with the expanded headers to enforcement@sec.gov. To read more about reporting to the SEC, see their Complaint Center.

Reporting to the Federal Trade Commission

The FTC recently announced that it is going to start going after spammers whose offers are illegal or fraudulent. At their website (http://www.ftc.gov and click File a Complaint Online) it says:

> If you would like to forward unsolicited commercial e-mail (spam) to
> the Commission, please send it directly to UCE@FTC.GOV without using
> this form.

This site is also where you would report identify theft.

The FTC handles enforcement for the chain letter described directly below.

$5 "Reports" Chain-Letter Fraud

 
     ... seven people admitted they sent deceptive chain
     letters which promised $46,000 or more in 90 days to
     recipients who sent in $5 cash to each of five people at
     the top of the list.

     In return for the $5 payment, recruits received "reports"
     providing instructions about how to start their own chain
     letter schemes and recruit tens of thousands of others via
     e-mail.
     [...]
     FTC officials say they will mail warning letters to more
     than 2,000 individuals who are still running this chain
     letter scheme.

This article contained a link for the FTC's chain mail website which states that you can forward unwanted or deceptive spam to the FTC's spam database at UCE@FTC.GOV

More Useful Info

There's more information on spam, spam mailing lists, and how to control spam at http://www1.umn.edu/oit/security/spam.shtml (the spam info is excellent but ignore the reporting instructions which are specific to the University of Minnesota) and http://spam.abuse.net.

Valuable news and tools for combatting and reporting spam are provided by SpamCop.

The UA College of Ag has information on blocking spam for Pine, Eudora and Outlook email clients.

CCIT's February 2002 Newsletter details how to set up Webmail filters. Because filters set up in WebMail take effect before mail ever enters the Inbox, these filters will work regardless of where or with which mail programs you read your mail.

Filtering for Asian Spam

Filtering techniques which use the Korean character set to trap all incoming Korean email would also trap legitimate messages from Korea in Korean. This is also why this filter cannot be set up system-wide.

Always set up new filters to move spam to a folder in case some unexpected messages get filtered out. Check the folder for a week or so and then, if you desire, you may change the action to discard the message. If you correspond with students, you will find that students from Asia often have their mail programs set to one of the fonts below. They then override the font in the body of their messages to you. Several professors on campus send all their Asian character messages to a folder and check it periodically for non-Asian character messages.

1. In Webmail create a folder for the filtered spam:
   • Click on Folders.
   • Click on Choose Action.
   • Click on Create Folder and enter a name meaningful to you, like Saved rejects.
2. Then create the filters:
   • Choose Filters.
   • You should make 2 separate rules using the filtering techniques described below. You need 2 rules because some spam can be identified and trapped based on the character set in its Content-Type and some based on the character set used in its Subject.
3. Create the Content-Type filter
   • Choose New Rule.
   • Rule name: Asian content (or choose your own name).
   • Under For incoming messages that match set All of the following.
   • You will use the dropdown lists to choose what to include (...arizona.edu email) and what to exclude (several Asian character sets). Refer to the screenshot below.
   • Select the combination From and Doesn't Match and to the right enter *@*arizona.edu. This is optional but allows local mail to come through.
   • In the Content-Type row you need to enter the following character sets. They all go on the same line, separated by commas. The leading, unmatched quotation mark is by design because often these headers look like Content-Type: charset="GB2312-more-stuff".

        charset=gb2312,charset="gb2312,
        charset=euc-kr,charset="euc-kr,
        charset=ISO-2022-KR,charset="ISO-2022-KR,
        charset=big5,"charset="big5,
        charset=ks_c_5601-1987,
        charset="ks_c_5601-1987

   
   • Under Do This from the dropdown list, select Deliver to this mailbox and select the target folder.
   • Click Stop Checking if this rule matches.
   • Click Save.
4. Create the Subject filter
   • Click the New Rule button.
   • Rule name: Asian Subject (or a name of your choosing).
   • Under For incoming messages that match set All of the following.
   • Select the combination From and Doesn't Match like the example above to allow arizona.edu email.
   • To do Subject filtering, use the combination Subject...Contains in the next row. Enter these values:

             =?GB2312,=?big5,=?ks_c_5601-1987,=?euc-kr,=?ISO-2022-KR

   • Under Do This from the dropdown list, select Deliver to this mailbox and select the target folder.
   • Click Stop Checking if this rule matches.
   • Click Save.