Spam

Spam is unsolicited email which is often offensive and mainly consists of adverts for pornographic websites, drugs, mortgages or consumer goods. It also takes the form of messages encouraging you to click on dangerous attachments or input personal details (also known as phishing).

Phishing

Phishing attacks are where criminals send you emails which attempt to trick you into releasing your details, changing payment details for companies or individuals or sending money or vouchers. Often, the emails advise you of changes or issues which require you to provide your username and password, enabling the criminals to use these details to access your account or to send spam from your email address but can also take a more subtle approach of presenting to be a person in a senior role requesting an urgent change or request for funds.

 View our top tips for reducing the amount of spam and phishing you receive

Tip 1: Don't get phished and make it worse

Never click on links in emails which ask you to input information (such as usernames and passwords). If you are ever unsure whether an email is legitimate, do not click on links in it

Tip 2: Increase personal filtering level

  1. In Outlook, from the Home tab, select Junk (under the Delete section).

  2. Select Junk Email Options.

  3. Change the level of junk email protection to High.


Remember to check your junk folder regularly for legitimate emails.

Tip 3: Create your personal block list

If you receive unsolicited email from a small number of particular email addresses or containing particular words, you can ensure this always goes to Junk Email. See Block specific senders and words in Microsoft Outlook.

Tip 4: Use another account

Don't use your Lancaster email address for signing up to things online, such as shopping sites or newsletters. Use a seperate email account for this.

Don’t publish your personal University email address on web sites when a shared email address would be more appropriate.

Protection from spam, phishing and other malicious content

ISS perform a number of security checks to help block spam, phishing and other malicious content. This includes:

 SpamAssassin to help check if your emails contains spam

SpamAssassin is an anti-spam program which ISS runs across the University email systems.

It checks all incoming email using a scoring mechanism to determine whether emails are genuine or spam.

In 2018-2019, an average of 100 million email connections a month were directed to the university:

  • Around 95% were removed as obvious spam, invalid or infection by a combination of services;
  • 5% of messages were classed as legitimate and allowed through, although 5% of these were marked as *ISS detected SPAM* for users to decide.

Of those messages delivered to your mailbox, we estimate about 2% are undetected spam, these are often very short messages which automatic systems just can’t detect without impacting on the legitimate emails.

 How the SpamAssassin spam filter works

Some of the things the filters look for are obvious. Words like 'viagra' and 'make money fast' in the message all add small positive amounts to the score. Text that comes as part of images or is downloaded from the web only when you actually read the message can't be scanned - but the filters do assess the message for how much text they contain compared to how much web content, and whether the web content contains a lot of ALL CAPS, bold text in large font sizes etc.

More weighting is given to 'delivery' information that accompanies each message (you don't normally see this when you read your mail). Bulk mailing tools used by spammers tend to leave their signatures here, and the filters evaluate whether the information is consistent, realistic, or has known bulk-mailer characteristics.

 Does this mean I'll never get spam again?

Unfortunately, no. Although the approach used by the filters is very successful, and can be tuned over time to recognise spam even better, tests show that just over 80% of the spam that comes in to the University can be detected. However, that's a very substantial reduction.

SpamAssassin is being constantly developed to improve its detection rate; but of course, spammers are at the same time adapting their techniques to beat anti-spam programs.

 Will genuine emails get lost by mistake?

Tests indicate that with the filters' sensitivity set to detect about 80% of the incoming spam, there should be very few cases where genuine email is misidentified as spam, and the system is monitored. However, if you believe that you're not receiving email that you expect, you should contact ISS.

It does sometimes happen that the system sometimes refuses a genuine message from a legitimate source, if that source happens to be on a blacklist or block list. Those on these lists have been identified as sending spam in the past. An error report goes back to the sender explains that the problem must be addressed at the sender's end.




 Block lists to block mail coming from computers known to send spam

In an attempt to reduce the amount of spam that staff and students receive the University makes use of block lists. Block lists identify computers on the Internet that are either known to originate spam or have been used (often without the owner's knowledge) to relay spam. Occasionally this will affect users trying to send email to the University.

 What to do if incoming email to you is blocked

If incoming email is blocked it's because the computer that sent it has been:

  • identified as involved in sending spam; or 
  • misconfigured and is not using ISP-provided facilities as it should. 

Spam often comes from individual PCs that connect to the Internet by dial-up or broadband connection to an ISP. Normally, the ISP provides a computer via which these PCs should send mail, and these will contain spam filters. However, it is possible for the computers to bypass this and send mail directly to the destination.

These problems can be fixed only by those administering the computers involved — but we can offer some guidance to pass on to affected correspondents. You should ask them to contact their own IT support staff — either at their company or university, or at their ISP. They will need to point out that the problem is that either their own computer, or a organisation-owned computer that handles the organisation's email, is on a block list.

If the sender of an email is on a block list they will receive a short message in response such as:

550 Rejected because 195.92.67.43 is in a black list

A computer will remain on a block list unless or until its administrators take the required actions to prevent it being used for spam, and notify the maintainers of the block list.

A computer is never added to a block list without its administrators being informed beforehand and given adequate time to remedy the situation.


The University does not maintain any block lists, but makes use of centralised lists provided by UKERNA, the organisation that manages the part of the Internet that British universities use.

The block lists currently used by Lancaster University are maintained ultimately by a US company.




 Microsoft's Advanced Threat Protection (ATP) safe links

Office 365 Advanced Threat Protection (ATP) is a Microsoft service that helps to protect users from malicious threats posed by email messages, links (URLs) and collaboration tools. At Lancaster University, we have enabled ‘Safe Links’ in ATP to provide additional protection on external links that are contained within emails.

 What are ATP Safe Links?

This feature directs all external links through the Office 365 Safe Links scanning service.

When you hover over one of these links:

  • If you’re using the Outlook desktop application, you’ll see a long Safe Links URL.
  • If you’re using the Outlook Web App, you’ll see a short Safe Links reference identifying the ‘Original URL’.
  • If you’re using the Outlook mobile app, when you hold down over the link you’ll see a long Safe Links URL.

When you click one of these links, Safe Links performs a scan to determine whether it is safe to view or could be malicious (see the ‘What does ATP Safe Links look like?’ below for details).


If the link:

  • Is deemed as safe to view, you will proceed as expected.
  • Is deemed as potentially containing or going to malicious content, you will be directed to a red warning message that recommends you don’t open the link.
  • Is taking some time to scan, you will be directed to a blue message telling you the scan is still in progress. You will have to wait for a few minutes then try the link again.


Safe Links will only scan external links in emails. Links to University pages will not be affected. For example:

  • A link to a page on the main University website, or to a news article on the Staff Intranet or Student Portal will be ignored by Safe Links.
  • A link to an article on the BBC website will be scanned by Safe Links.

Links you send in emails to other staff/students at Lancaster University will be scanned by Safe Links if they are linking to external pages or services.


Links you send to non-University email addresses will not be scanned by Safe Links, irrespective of whether they are external links or not.


If email messages are forwarded on, links in those messages that have been deemed as potentially containing or going to malicious content will continue to warn new recipients, even if they are sent to non-University addresses.



 What do Safe Links look like?

External links in emails you receive won’t look any different until you hover over them (Outlook and Outlook via Office 365) or hold down on them (Outlook Mobile App).
Below is a screenshot with an example of how a link scanned by Safe Links will look in Outlook when you hover over it.

image of safe links hover over


Long Safe Links URLs:

Below is a screenshot with an example of how a link scanned by Safe Links will look in Outlook via Office 365 when you hover over it.

example of hovering over link in office 365

If you click on a link that has been scanned and deemed as potentially containing malicious content, you will be directed to a red warning message that recommends you don’t open the link (see screenshot below).

blocked website

If you click on a link that is still in the process of being scanned, you will be directed to a blue warning message that tells you it is still being scanned (see screenshot below).

example of link still in process of being scanned



 What are the benefits of ATP Safe Links?
  • Because students and staff often share links while working on projects, Safe Links helps to prevent inadvertent access to malware through links and attachments.
  • Safe Links also enables the University to manually block links, either to malicious or unwanted content, and will help to remove mass phishing emails.
  • Reporting is available to ISS staff, enabling them to warn anyone who has clicked on a link that Safe Links deemed as potentially malicious to change their password to prevent compromising their account.
  • Safe Links works anywhere in the world, on most common email clients, and with no VPN or requirement to connect to Lancaster.






 Blocking suspected web pages

If you click on a link or attempt to enter an unsafe web address that the University suspects contains malware (e.g. virus, spyware or malicious program), the University will block the web page and display a Page Blocked message.

Example page blocked screen.

Lancaster University uses Domain Block Lists to protect the institution from websites that have been identified as harbouring phishing or other malicious malware. 

As part of protecting university data ISS may enable data leak protection mechanisms. These may result in content being blocked or the user being notified so that they can ensure that they are acting in compliance with relevant University policies. For further info see the Microsoft documentation on data leak protection policies.




 Using Symantec EndPoint Protection (SEP) to protect devices

Symantec Endpoint Protection (SEP) to prevent devices from being infected with known viruses, trojans and other malware. See Symantec Endpoint Protection (SEP) AntiVirus installation and help for further information.





Frequently asked questions

 What are indicators of spam and phishing emails?
  • The wording is designed to scare you into replying, or responding to a link – such as stating that your account has been compromised – change your password now
  • You are addressed as Dear Customer or Dear Student, rather than by your first and last name.
  • The email could look like it's coming from a sender you know, but the content of the email isn't what they would be likely to send you.
  • You are asked to supply personal or financial information, or login details.
  • There is poor spelling, punctuation and grammar in the email.
  • When you hover your mouse over a link in the email, you can see that it goes to a website that you don't recognise, or doesn't relate to the organisation you thought it should.
  • The email is unexpected and contains an attachment.
  • The email is personalised to look real, asking for a personal request that is not part of your job description (e.g. email sent from yourdirector123@gmail.com asking for you to send emergency payment vouchers).

This list is not exhaustive, if you are suspicious of an email for any reason, do not trust it.

Nowadays, there is an increase in impersonation emails. This is where someone will target an individual with a very sophisticated looking email that contains personalised information making it look genuine. New staff are sometimes targeted as they are unsure of the working practice in a new role. For example, an email from your director's personal email account asking you to purchase some vouchers or send some money as the company credit card is not working. You should check anything that seems suspicious – anyone can make up a free personal email and pretend to be someone so check if the email from the sender's actual email. Even if it is, their account could have been compromised.




 What should I do if I suspect an email is spam or phishing?

Safe Links is a mechanism in your University emails to help prevent staff and students from going to malicious content, but it doesn’t necessarily stop phishing emails being delivered to your mailbox, so you should still be vigilant to phishing emails and take action to report phishing where appropriate.

  • Don’t reply.
  • Don’t click on links.
  • Don't copy and paste links into your web browser.
  • Do not trust the contact details in the email – if in doubt, phone the company on the trusted number or go to their website directly using a trusted web address.
  • Delete it.




 I am the victim of a phishing attack, what should I do?

If you have revealed your username and password in an email or via a linked website, and you think that you are victim of a phishing attack, you need to report it so we can recover your security and privacy, and prevent others falling victim to the same phishing attack. Please report it via the Information Security Incident form or by contacting the ISS Service Desk.

If the Service Desk confirms that your security has been compromised it is advisable to change all your passwords including, for example, passwords for your bank, Amazon and other commercial accounts.




 Where has my legitimate email gone?

Occasionally legitimate emails may accidentally be identified as spam. Ensure you check your Junk Email folder regularly. If you find legitimate email, right click on it, and from the Junk section select Not Junk.

If you find that genuine messages are marked incorrectly as ISS-Detected SPAM, please report this via the ISS Help Centre




 What do I do if I am blocked from accessing a legitimate website?

Please contact the ISS Service Desk via the Help Centre to report instances where you have been blocked from accessing legitimate content. They may be able to enable access to content on sites that should not be blocked.




 Why are emails I send being marked as spam?

For information about how to prevent emails you send being marked as spam, see Stop your outgoing email from being marked as spam.