[i/s Home] [Distribution] [Search] [Back Issues] [Publications] [Feedback]


 

is&t Back Issues

Volume 19

No. 4  March/April 2004

Don't Let the Hoax Be on You: How to Handle Incoming Email

Nate Herzog

Electronic mail has transformed the way we pass on information. It's easy to send messages, and just as easy for others to send messages to you. As we've all discovered, this has a downside. It's common to find our email inboxes stuffed with spam -- ads, hoax mail, and viruses.

Hoax email contains information that isn't true but entices recipients to respond or forward information. Its subjects vary from cash prizes, to pleas for help, to warnings that "your account will be deactivated unless you respond immediately." These messages are designed to get you to respond to them. The sender wants you to click that reply button or that URL.

Scenarios of a Scam Artist
In the tamest scenario, a spammer sends a message to a large group of email addresses. This spammer has no idea whether or not these addresses are real. The message could be an ad for a weight loss program, a cheap mortgage, or worse. At the bottom of the message is a line that encourages you to reply or to visit a web page to be removed from the mailing list.

Let's say one of the email addresses in the spammer's list belongs to John Doe <johndoe@mit.edu>. If John replies to the message, he has verified his address. The spammer sells the valid email address to a marketer, who then sends more unwanted mail to John Doe.

In more malevolent scenarios, John opens a hoax attachment, infecting his computer with a virus and spreading it to other computer users. Or John clicks on a link that appears to be from his bank and enters his account number or user name and password. The perpetrator proxies the connection and later transfers the money in John Doe's bank account to a new offshore account.

Guidelines for Safer Computing
MIT provides a spam screening service at http://web.mit.edu/ist/services/email/nospam/ that helps to filter spam. Still, unwanted messages can get through. So what do you do with them?

Whenever you encounter dubious email, you can save yourself (and the people you send email to) a lot of trouble by following these guidelines:

  1. Don't open messages from anyone you don't know.
  2. Don't reply to or forward any messages with dubious content.
  3. Don't open, save, or forward any attachments if you are in any way unsure of what that file contains.

As a child, you were taught not to take candy from strangers. Don't open their email messages either. These messages are crafted to get you to respond. Don't. Delete them instead.

Don't I Know This Person?
Hoax mail doesn't always come from unknown sources. Email addresses can be spoofed. If a spammer has gleaned Jane Doe's address, he can send email posing as Jane Doe. Jane then gets blamed for sending the message, when she did no such thing. If a friend sends you an attachment that you weren't expecting, contact your friend to find out whether he or she really sent it.

What if <admin@mit.edu> sends an email requiring you to respond or your email account will be shut off? When in doubt, ask. Contact your local computer administrator to verify the message. Lacking a local guru? Call the Help Desk at 253-1101. Don't think you are wasting someone's time by verifying an email message. It takes a minute to find out whether or not an email is a hoax. It can take hours to clean a virus-infected system.

Alternatively, you can be your own gumshoe. For the latest on email hoaxes and viruses, visit

http://vil.nai.com/vil/default.asp
http://www.f-secure.com/
http://hoaxbusters.ciac.org/

A Final Word About Attachments
Be wary of email attachments: they are the easiest way to send viruses. Typically such attachments have names like "love_letter.doc" or "system_patch.exe," meant to appeal to as many people as possible.

When receiving attachments, use your head. Does it make sense for your boss to be sending you an attachment called "performance_appraisal.doc?" Then it's probably fine to open. But when in doubt, ask!


is&t Home |  is&t Back Issues |  Volume 19 |  No. 4