Of the tens of thousands of e-mails that drift into Mississippi State WebMail accounts each day, 70 to 80 percent of the incoming traffic classifies as some form of spam.
Although the vast majority of junk mail is discarded by MSU’s spam defense systems, the sliver of spam sophisticated enough to escape the filter can wreak havoc on MSU WebMail accounts.
The problem, according to Information Technical Services security and compliance officer Thomas Ritter, is many MSU students, faculty and staff members are unaware when a seemingly normal e-mail constitutes as spam, leaving them vulnerable to malicious computer viruses. Several hundred computers linked to MSU’s servers have been infected over the past year.
The most common spam virus that MSU WebMail users bite on is a fishing scheme. E-mail users are hooked when they choose to divulge their account username and password under the pretense of a legitimate e-mail.
Ritter said some people will give out personal information when a well-crafted fraudulent e-mail claims to be, for instance, updating MSU WebMail services courteous of ITS.
“E-mails can be easily forged. It is a problem,” Ritter said. “Some of these e-mails will say your account will be deleted if you do not provide your information. ITS will never ask for your username or password.”
The ultimate goal of most spam is to steal a person’s identity, and part of the process involves using infected computers as a hub to send more spam.
“It is possible to receive spam from yourself,” Ritter said.
Spam viruses attack computers and, depending on the virus and type of information a person gives up, can gather sensitive data ranging from e-mail address books to bank account numbers to social security numbers.
One spam message that found its way on campus asked a WebMail user to click on a picture of a rapist caught on a security camera. By clicking, the spam e-mail claimed information would become available to help capture the sex offender.
“It’s called social engineering, a term used when someone gets fished and convinced to do something,” Ritter said. “If you click to help the catch the rapist, you will get a virus.”
At times, the epidemic has escalated to a point where other e-mail providers – services such as Comcast, AOL Mail and Gmail – have been forced to blacklist all MSU WebMail accounts. MSU Web traffic has been refused by these providers – a problem usually corrected in a day’s time – even though less than one-tenth of contaminated links within spam are opened by MSU WebMail users, Ridder said.
“I have seen computers pump out 20, 30, 50,000 spam messages in an hour,” Ritter said. “At that point, we have to compromise the account.”
Once a MSU WebMail user’s account has been locked, ITS will unfreeze the account after the computer has been cleansed, and the infected account’s username and password have been changed.
An MSU student, who preferred to remain anonymous, had a close call with a computer virus in early March. The student’s anti-virus software falsely indicated it quarantined and eliminated the virus. A high ranking administrator working for the Thad Cochran Research, Technology and Economic Development Park heralded different news, telling the student her computer would be blacklisted if she once again logged into the Research Park’s Ethernet.
“He [the Research Park administrator] told me if I logged into onCampus, my account would be blacklisted as well,” the MSU student said. “My computer was sending messages to China every eight minutes. I was pretty annoyed and aggravated.”
The student’s computer ceased communicating with China only after her father updated her Window’s system, which allowed her anti-virus program to do its job. Buddy Balaa, former MSU art department ITS professional, said there are several methods to prevent spam from ever infiltrating an e-mail account in the first place. He said the Internet browser Mozilla Firefox better protects computer systems from spam than Internet Explorer, which holds nearly 70 percent of the Web market.
Unlike Explorer, Firefox is an open-source Internet browser, meaning the entire Web community is able to constantly update the service, while Internet Explorer updates come at a slower pace from Microsoft developers.
“People discover vulnerabilities in software,” Balaa said. “Outdated software will be exploited by specifically crafted spam attacks. I suggest using open-source software like Firefox. Thousands of people are constantly updating and improving its code. Like the guy who created the Linux operating system said, ‘Given enough eyeballs, all bugs are shallow.”‘
Balaa said another combative measure involves holding two separate e-mail accounts: one for business and one for personal communication among friends. Spam has a more difficult time contaminating friendly accounts because less sensitive information is distributed to companies and organizations. However, Balaa said it is wise to spell out the words “dot com” and “at” when typing out an e-mail address in any Web message.
“These people will use automated scripts that scan search engines and can find your e-mail addresses,” Balaa said. “Try Googling your e-mail address to see if it comes up. If it does, that probably isn’t good.”
In the end, Balaa said, the best way to prevent a spam attack is by not clicking on URLs within suspicious e-mails.
“Once they know a human clicked on that link, they have got you,” Balaa said.