Stanford Report, March 5, 2008

Changes made to prevent more e-mail accounts from becoming spam engines

BY MICHAEL PEÑA

The university has approved the tagging and automatic deletion of e-mail sent from a Stanford account if it meets the same spam-identification criteria used to filter incoming e-mails. This change, which began at 5 p.m. on Feb. 29, is in response to many Stanford e-mail accounts recently being taken over and programmed to send out high volumes of spam.

Since October 2006, Information Technology Services has scanned all incoming e-mail and discarded any message that, by its filtering criteria, has a 90 percent chance or higher of being spam. Now, the same applies to all outbound e-mails.

According to IT Services, many Stanford e-mail users began receiving fraudulent messages over the Presidents' Day holiday weekend asking them to verify their e-mail accounts by replying with details, including passwords, that would allow spammers to hijack the account. The messages did not come from Stanford but from anonymous accounts off campus that eluded the university's efforts to block them.

More than 50 Stanford users complied with those fictitious requests, and that resulted in their e-mail accounts being compromised. The online scam, known as "phishing," is a play on words that conveys how culprits fish for private information. The accounts, which belonged to faculty, staff and students, were temporarily disabled until the owners reset their password.

Despite the relatively low number of compromised accounts, the amount of spam they were sending out caused some Internet service providers, such as Hotmail and AOL, to block all incoming e-mail from Stanford. In the week leading up to the change, almost half the e-mail sent from Stanford accounts had been marked with an 80 percent or greater probability of being spam. The block on Stanford e-mails has since been lifted.

"You should always be wary when asked to provide any type of account and password information when you yourself have not initiated the correspondence," said Nancy Ware, director of strategic planning and communication for IT Services. "Stanford does not send e-mails which request that you provide your password via e-mail."

As a general rule, Ware said, users should never send their password via e-mail and simply ignore e-mails making such requests. There are no overt signs when an account is compromised, but if someone suspects it has occurred, the fastest and easiest solution is to reset the password. In extreme cases, IT Services can shut down a compromised account after investigating the situation and temporarily disable it. A member of the Help Desk will then work with the owner to reactivate the account.

In addition to sending out high volumes of spam, compromised accounts can slow down IT systems. In more serious circumstances, compromised accounts allow a perpetrator to read the owner's e-mails, access restricted areas requiring a SUNet ID and even see the owner's personal information in StanfordWho.

IT Services is exploring additional technical options to strengthen Stanford's ability to manage spam and phishing schemes. For more information, go to http://securecomputing.stanford.edu.