Penn Computing

Penn Computing

Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

 

Thursday, August 28, 2014

 
  New Resources
Travel Tips for Data Security
Free Security/Privacy Training Resources
Penn+Box
Two-step verification
Combating Malware
SafeDNS
Phishing Archive
Cloud Computing and Data Outsourcing
Best Practices for Applications with Confidential University Data
 
  Security "Greatest Hits"
Managing Passwords
E-mail Harassment & Forgery
Hoaxes, frauds & scams
Spam
Phishing
Wireless Networking
Encryption & digital signatures
 
  Best Practices
Secure desktop computing
Secure servers
Secure data deletion
Securing printers
Tips for safe computing
Computing policies
 
  More in-depth information for
Local support providers
System administrators
 
  Security initiatives
Critical host compliance
Authentication & authorization
Penn Security & Privacy Assessment (SPIA)
Security Liaisons (Restricted Access)
Secure Share
Secure Space
Vulnerability Scanner
 
  Related links
Electronic privacy
PennKey
Viruses
Worms, trojans, backdoors

E-mail Forgery and Harassment

More than any other Internet application, the growth of e-mail use around the world has dramatically changed the lives of people everywhere, making it possible to communicate rapidly with almost anyone, anywhere. The days when an exchange of handwritten letters could take weeks, or even months have been compressed into minutes and even seconds by the use of e-mail.

As wonderful a communication tool as it is, though, there are some negative aspects to e-mail. Particularly in the last few years with the rise in the availability and popularity of free, (often) anonymous, "on-demand" e-mail accounts through web-based services like Hotmail, Yahoo! and Gmail (Google), there has been a marked increase in incidents involving forgery and harassment via the use of e-mail.

E-mail has been around as long as the Internet itself, nearly 40 years, and the underlying programming and protocols were developed in a time when security was much less of a concern than it is today. The mechanics of e-mail are still pretty much the same, though, and the result is that e-mail is very easy to forge, and it doesn't take a lot of computing expertise to do it. Unless the e-mail message in question has been digitally signed and/or encrypted (such as with PGP, for example), it is very difficult - and often impossible - to completely verify the sender's identity.

Forgery

Many don't realize it, but most e-mail users get several forged messages per day, in some cases dozens, in the form of "spam" (a.k.a. UCE, or Unsolicited Commercial E-mail). There are a number or reasons why spammers don't want you to know their true identity, but the primary one is pretty simple: they don't want to be barraged with complaints about what they're doing from people who think spammers are a lower form of life than used car salesmen. There are, of course, other more sinister motives people have for forging e-mail, and unfortunately in some cases, they involve threatening and/or illegal actions. In some cases, the forger simply wants to remain anonymous and creates a fictitious address, while in others, he or she will attempt to impersonate another person and make that person's address appear to be the source. In any case, forging e-mail by making it appear as if it came from someone else is a fraudulent act.

Using Penn computing resources to send forged e-mail is a violation of the Acceptable Use Policy, and depending on circumstances, is quite likely illegal as well. Penn users found to be forging e-mail are subject not only to disciplinary action, but possible criminal prosecution as well.

Although much of the spam on the Internet is clearly forged, there is not a great deal that can be done about it, and no need to report it as forgery.. For a more detailed discussion about spam, see our spam advisory. A special case is the (in)famous "Nigerian" or "419" scam, an advance-fee fraud that has been around for years in which people are offered millions of dollars as a "commission" for laundering "trapped" funds. This fraud takes many forms, for more information see our page at http://www.upenn.edu/computing/security/advisories/419scam.php

If, however, you receive e-mail of a more personal nature that you suspect is an attempt to deceive or mislead you as to the sender's identity, you can contact ISC Information Security at security@isc.upenn.edu or (215) 898-2172 and ask for assistance and advice.

If you believe at any time that your personal safety, or that of any other person is in danger, or that a crime has been or will be committed, you should report it immediately to Penn Public Safety at 511 (on campus) or 215-573-3333 (off campus/cell phone).

Harassment

For obvious reasons, forgery and harassment by e-mail often go hand-in-hand. More often than not, the person sending harassing messages doesn't want his/her identity known. Sometimes, though, the person will make their identity clear, and will clearly state the reasoning behind the activity. Not surprisingly, it's often the case that the person doesn't consider the activity to be "harassment".

Dealing with e-mail harassment (or, in some cases, Usenet newsgroup harassment) is among the most difficult computing security issues to evaluate and give advice on, because it can take so many different forms. In some cases, the person sending the messages will either clearly be threatening an illegal act or will give clear evidence of that intent. In most cases, though, the issues are much less clear. The content of the messages may or may not constitute harrassment under the law, and even if it does, may not rise to the level of a criminal offense. There may possibly be some grounds for civil action, but that would have to be discussed with your own lawyer or legal representative.

The truth is that, in the overwhelming majority of instances, the harassment stems from some breakdown in a personal relationship between the parties, e.g,. a romantic relationship recently ended, a debt owed (or believed to be owed), etc., and there is no basis for legal action in what amounts to a personal dispute. Often, the person being subjected to the harassment recognizes this, has no interest in pursing legal remedies, and simply wants the harassment to stop. In this instance, it is sometimes effective to reply once - and once only - to the harasser with a message that says, in about this many words, "You've had your say. I wish not to receive any more e-mail from you. This will be my last message to you." Then, stick to it. If the messages continue to come, do not reply, but save them in the event they become useful in a future legal action.

Again, dealing with e-mail harassment is very difficult. If you believe you are the subject of harassing e-mail (Note: we do not consider "spam" to be harassment.), then feel free to contact ISC Information Security at security@isc.upenn.edu or (215) 898-2172 and we will be glad to help you evaluate the situation.It is also a good idea to contact the Postmaster for your mail system (usually 'postmaster@<yourmailserver>').

However, the following is always good advice:

If you believe at any time that your personal safety, or that of any other person is in danger, or that a crime has been or will be committed, you should report it immediately to Penn Public Safety at 511 (on campus) or 215-573-3333 (off campus/cell phone).

A Few Other Things To Consider:

  • Be careful what you say in e-mail. This is good advice not only in cases where harassment is a possible issue, and you might not want to inflame or complicate it by saying something that would aggravate the situation, it's good advice anytime you're using e-mail to communicate. Electronic messaging is certainly fast and efficient, but the person at the other end can't see the "body English" and non-verbal cues you would normally use in conversation to indicate what you really mean. "Smileys" and other "emoticons" help, but be aware that the words on the screen may not be received in exactly the way you intended.
  • Don't send sensitive or confidential information in e-mail. Remember that e-mail is not a secure medium. Yes, it's "electronic mail", but rather than being analogous to a letter in a sealed envelope, as most people tend to think of it, it is actually more like a postcard that can be intercepted and read by any number of people between sender and receiver. Especially, never send information such as your Social Security Number, financial account numbers, date of birth, or other personal data that could be used to commit identity theft. If you need to identify yourself to Penn support staff through e-mail, use your PennID (the middle group of 8 digits on your PennCard). This should be all the info they need.
  • Don't jump to conclusions. Remember, e-mail is easily forged, so the person who appears to be the culprit may well be innocent. If the content of a message seems out-of-character, give the sender the benefit of a doubt, and remember that the words on the screen don't always accurately convey what the sender actually meant. Before firing back, verify the sender's identity (if possible) and that they didn't mean it to be humorous or sarcastic.
  • Guard your password(s). If you share your account passwords with anyone, you not only give that person a "license to impersonate", you also cannot be sure who else that person has given your password to.

 

Last updated: Friday, April 23, 2010

top

Information Systems and Computing
University of Pennsylvania
Comments & Questions


Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania