Your Digital Bridge to the World

Email Phishing & Spam Defense

Top Topics
Adding SEAS students to the Microsoft Campus Agreement being debabated. Stay tuned.

IT Benefits To Know About



Software to know about!


Email Phishing scams are real & bad. Don't be fooled & don't click them. In general avoid them. 'Nuff said? Probably not... So read on if you want more info.

We have had several students fall victim to these false emails and it is never fun. Being aware, caution and informed can help you avoid the problems and headaches. This is that pile of goo you don't want to step in.

**See below for a few tips on how to identify these malicious emails and avoid them safely.

I have seen many very legitimate looking Paypal, Ebay and various Bank account info requests emails via Cubmail. They are not always easy to identify. The best fakes are emails that were originally from the actual company, but then customized with malicious misdirected links. These fake emails attempt to send you to web sites to harvest your information. Malicious web sites can either simply prompt you for data input or can possibly use viruses, key loggers or other malware that can infect and exploit your browser/computer. So take great care to avoid even visiting them if possible.

Personally, since none of these types of services have my Columbia email, I know right away that they are scams. But many of you commonly receive legitimate emails from these types of sources in your email accounts daily and thus will find this type of email frustrating, confusing and/or tempting to click. Even if you don't use these types of companies via your cubmail, an email stating that you owe money to a business you never used is quite alarming. Be wary of clicking on these types of emails.

The following techniques are not only helpful for safeguarding your data, time and protecting the school network, but also critical for home data and financial protection as well. Columbia is working hard to eliminate email spam at the server before it gets to the users, but as you know, much is still leaking through. Therefore, it is beneficial for everyone to have the tools and techniques to protect themselves by learning and using these simple steps to identify and avoid scams.

To be safe:
1) Delete the email
You should delete any email that seems suspicious, especially if it has attachments or links.

2) Check the address url before clicking
If you receive an email and are concerned about whether it is legitimate or not, there is a quick way to identify if it's a fake email.

Move the cursor over links to check the target address (do not click the link). Depending on your application, it may either popup a windows showing the url or you may need to check the bottom of your browser/email client window for link address. The target address should be the same as the company contacting you. For example: an email for Etrade.com should have a target link address of etrade.com/.... be concerned if it is something like rob-u-blind.com/.....

3) Contact the company directly
Additionally, if you are concerned about your account with that company, Do not use the supplied email link. Instead, open a browser and go directly to their web site to check your status or contact their customer service via phone and inform them of the email. These types of financially sensitive services will never email a link for an account update or request account info via email. This is all done through their secure site, regular mail or over the phone.

Now the fun part:
What would IT do to identify if it’s a fake and get more info to file a complaint? Again, I recommend you delete the suspicious email and/or contact the company regarding your account and/or the email directly if concerned. But, as mentioned, you can often identify a fake email by checking the link’s target address without clicking on it. If I wanted to know more about the suspicious email, here’s what I would do initially:

Check the link
I would run the cursor over the emails links to identify where the link goes. The recent link in a Paypal email I received went to paypol-updatingbilling.com. This is not Paypal!, but it was trickier than most scam addresses I have seen recently. 

Google It!
Now I have a web site to Google and see what other activities they've been up to. Since I am not interested in putting my computer at risk, I log into a non-important computer (i.e PC Lab) a load a restricted user account. I browse through the result links carefully, making sure not to click on results that would lead me to the actual site. In this case, the Google results show me that this site appears to be in Russia, Interesting...

You can also take key words or phrases from the email itself and type them into Google. If it’s a scam, the Internet community will know about it and post info. 

Warning: Be careful which sites you click on while searching Google. Once again, in Internet Explorer and other web browsers, the link shows the target address at the bottom of the screen when you move the cursor over it. You can see the address of the site you are about to visit and make an informed decision as to whether it is trustworthy or not. You wouldn’t want to accidentally click on the site from the email that you where trying to avoid =)

By doing the above steps, you can usually learn a little info about the email, where links go, what they do and what has happend to people that have clicked on it. This all helps identify the actual risks without finding out the hard way. 

If you wanted to track the email further, potentially for lodging complaints, here are some next steps.

Domain Search
Go to a web-hosting site (like networksolutions.com) and query the domain name. See Example 1) domain registrars listing below. This gives the name and info of the person that supposedly registered the domain name. According to the record, Edith Idleman, 16 Oxford Lane Bella Vista, AR 72714. The site was just created two months ago 08/2006. For some added fun, lookup any domain name you own. Does that Contact person look familiar?

Check Email Headers for source, path traveled, return sender and other useful info
You can also check the Email Internet headers of your email to identify the path it traveled and search for additional clues. This email came from nobody@mars.dnsdc7.com. A search on Google shows only one other scam from this domain name called Next of Kin Claims. The email address Nobody@ is usually a non-returnable address.

*Example: Email Header
Return-Path: <nobody@mars.dnsdc7.com>
Received: from liverwurst.cc.columbia.edu ([unix socket]) by liverwurst.cc.columbia.edu (Cyrus v2.3-alpha) with LMTPA; Tue, 10 Oct 2006 09:38:57 -0400 X-Sieve: CMU Sieve 2.3 Received: from feta.cc.columbia.edu (feta.cc.columbia.edu []) by liverwurst.cc.columbia.edu (8.13.1/8.13.1) with ESMTP id k9ADcv0s009302 for <jav2115@liverwurst.cc.columbia.edu>; Tue, 10 Oct 2006 09:38:57 -0400 Received: from mars.dnsdc7.com (mars.dnsdc7.com []) by feta.cc.columbia.edu (8.13.7/8.13.6) with ESMTP id k9ADcrMW022866 for <van@civil.columbia.edu>; Tue, 10 Oct 2006 09:38:56 -0400 (EDT) Received: from nobody by mars.dnsdc7.com with local (Exim 4.52) id 1GXHqM-0000hY-Ns for van@civil.columbia.edu; Tue, 10 Oct 2006 08:40:26 -0500
To: van@civil.columbia.edu
Subject: Notice of Security Updates
From: PayPal <service@paypol.com>
MIME-Version: 1.0
Content-Type: text/html

Following this line of thought, you can start to uncover info about the origins, potential contacts, and accumulate some complaint info to provide your ISP, the faked companies or possible law enforcement, etc.

Taking it to the next steps:
If law enforcement gets involved, they can start a process of requesting private information, IP addresses, email and internet logs, credit card numbers, etc from registrars, email accounts, domain hosts, ISP's etc. to build a trail and identify the criminals identity and whereabouts. This takes quite a bit of Illegal activity on the criminals part to get this process moving. Since they often hide behind free accounts and fake/stolen information. It is for this reason that they are fairly difficult to track and catch. Fortunately, it only takes one or two screwups on their end to catch them.

Additional Spam Fighting Resource:

-The Federal Trade Commission Web site is a good resource for tips against spam, reporting spammers, and general info.
AntiSpam Website

-THE FTC also has information regarding ID Theft, Kids Privacy, Online Protection, Spyware, Shopping tips

**Example 1) Domain registrars listing (as mentioned above) for Paypol (not paypal) - In this case, I would want to try and contact Edith Idleman and see what she had to say about her nefarious uses of her paypol domain name.


Registrant Contact:
Edith Idleman (formystaff@yahoo.com)
Fax: +1.5555555555
16 Oxford Lane`
Bella Vista, AR 72714

Administrative Contact:
Edith Idleman (formystaff@yahoo.com)
Fax: +1.5555555555
16 Oxford Lane`
Bella Vista, AR 72714

Technical Contact:
Edith Idleman (formystaff@yahoo.com)
Fax: +1.5555555555
16 Oxford Lane`
Bella Vista, AR 72714
Status: Locked
Name Servers:

Creation date: 08 Oct 2006 20:39:54
Expiration date: 08 Oct 2007 20:39:54
The data in this whois database is provided to you for information
purposes only, that is, to assist you in obtaining information about or
related to a domain name registration record. We make this information available "as is," and do not guarantee its accuracy. By submitting a whois query, you agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to: (1) enable high volume, automated, electronic processes that stress or load this whois database system providing you this information; or (2) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via direct mail, electronic mail, or by telephone. The compilation, repackaging, dissemination or other use of this data is expressly prohibited without prior written consent from us.

We reserve the right to modify these terms at any time. By submitting
this query, you agree to abide by these terms.
Version 6.3 4/3/2002

Registry Status: REGISTRAR-HOLD
Registry Status: REGISTRAR-LOCK
Registry Status: clientHold
Registry Status: clientDeleteProhibited
Registry Status: clientUpdateProhibited
Registry Status: clientTransferProhibited

***On a related note: I once used this technique to contact a person who posted a job offer, but forgot to list any contact info. He did list the new business name and although he had no ewebsite yet, he had already purchased the domain name. According to a law passed around 2003, all registrars must use their real name or business name on registration to discourage scammers. In this case, his domain listing had his home street address and phone number. He was a bit suprised when I called him at his home to inquire about the postion. After explaining how I tracked him down, he offered me the job... =)


Revised: 02/27/07


Privacy Policy | Contact Us | ©2006 CEEMIT