University students see change in forms of spammers' e-mails

Adie Ellis '04 gets about 30 spam e-mails per day.

Late last spring she replied to a piece of junk mail asking to be removed from the list. But that only exacerbated the problem.

She has resigned herself to hitting the delete button.

Spam mail has increased by about 600 percent in the last year nationwide, said Rita Saltz, OIT security expert.

Though the University attempted to curtail spam by installing a new authorization program on its servers, new, more advanced spammers are starting again to fill University inboxes.

Some students are even receiving e-mails that appear to be from themselves. But this is the work of an expert spammer.

The to and from lines of the e-mail are the same though the e-mail did not come from a University account.

Tom Geller, who works at the advocacy group Spamcon.org, said this type of spam has only surfaced during the last year.

He explained that spammers either harvest e-mail addresses or purchase e-mail lists.

Spammers look through discussion groups, newsgroups, bulletin boards and America Online to gather e-mail addresses.

By faking the origin of an e-mail, spammers hope to confuse the recipient. Moreover, they hope to avoid mail filters. Geller said harvesting has been around for the last decade.

Less frequently, spammers purchase e-mail lists, Geller said. Some schools, like the Iowa State University, are required to sell their lists by state law. Saltz said she did not believe Princeton sold its e-mail directory.

Get the best of the ‘Prince’ delivered straight to your inbox. Subscribe now »

E-mails with the same sender and receiver can also result from a computer virus, Saltz said.

But the most common way to obtain e-mail addresses is by trial-and-error, Geller said.

"They'll go through and do thousands, millions of guesses. If the organization is large enough like America Online, or Hotmail then they are going to hit a lot of people," he said.

In response to this new spam, a few students have called the OIT help desk claiming someone breached their account, but Saltz could not put a number on the calls.

"You can't sell if you can't get your proverbial foot in the door," Saltz said. "There are different kinds of tricks they use; one for university recipients is to falsely use an address, which appears to be from that school."

Ironically, in an attempt to earn confidence from their prospective buyers, spammers sometimes disclose what they are doing.

"Some spammers who use the last-named ploy admit in the text of the message that they have made the 'to' address also appear in the 'from' address, and that they have not used your e-mail account," Saltz said in an email. "But a lot don't bother making any statement. They've gotten you to open the message, and that is what they care about. If you open it you may read it; if you read it, you may 'buy.' "

The University was largely successful in limiting spam by installing the Simple Mail Transfer Protocol (SMTPAuth) last spring.

Before sending e-mails students are required to enter their University-issued NetID and e-mail password. OIT instituted increased security because outsiders had been using the University's IP address to send out spam.