University Times

Spam — that annoying unsolicited email from pseudo-Nigerian dictators, non-existent banks and creatively named medical products — has reared its ugly head with a relatively new consequence for Pitt computer account users and for the University itself.

While the University’s spam-filtering mechanism (Postini system) when activated traps spam on a separate server, some spam that escapes the filter is being forwarded inadvertently by Pitt users who send messages to users at other email services such as Gmail, Yahoo and Hotmail.

Those providers sometimes take umbrage at receiving large volumes of spam and reject the source email account, a practice known as blacklisting, according to George Pike, co-chair of the University Senate computer usage committee, who reported to this week’s Faculty Assembly.

“Blacklisting occurs when the ISP (Internet service provider) identifies a particular email server as the source of large volumes of spam,” said Pike. “Pitt, occasionally, finds itself on these blacklists and, consequently, email that comes from the University is rejected and bounced back to the sender by the third-party ISP, and then we have to take steps to get ourselves removed. Gmail, in particular, is very difficult to deal with and they’re by far the largest ISP that people are forwarding their email to.”

One might ask: Why is Pitt sending out spam? The answer is: It’s not, but some Pitt users are unwittingly forwarding it, he said.

“What is happening is largely due to two particular sets of circumstances. One is that a University account occasionally will be compromised, or hacked. This is unfortunately the modus operandi of most large-scale spammers: They identify vulnerable computers, hack into them, compromise the computer, then route the spam through that computer or several computers in order to hide their own identity, to hide their own server as the source of the spam,” Pike explained.

“When that happens, large volumes of spam can be sent out from a pitt.edu domain computer in a very short amount of time,” he pointed out.

Pitt’s Computing Services and Systems Development (CSSD) has a good track record in identifying computers that have been hacked into and disabling them quickly, Pike maintained.

The second circumstance is more common and presents more of a challenge. “There are a number of people in the University community — students, faculty, staff — intentionally forwarding their pitt.edu email to a third-party ISP. They may do this for convenience. They may have multiple personal or research accounts and they want to be able to access them all from one place,” Pike said.

“If they do not have adequate spam protection on their pitt.edu accounts, then when they choose the forward function all the spam that comes into those accounts is then forwarded on to the ISP, with the ISP identifying it as having originated from the pitt.edu account, which then triggers the ISP to put us on the blacklist.”

To confront the problem, CSSD has taken a number of steps, Pike said.

• Beginning last year, all new pitt.edu accounts automatically have spam filtering activated.

“That doesn’t reduce the amount of spam that comes into the system, but once it comes into the system, the email filters will grab it and move it to junk mail folders where it is not forwarded on to a third-party ISP,” Pike said.

• The second step was put in place over the summer when CSSD purchased more spam-filtering software from Postini in order to include messages that were forwarded from all student email accounts.

“When student accounts are terminated, students have the ability to have their email forwarded to a new address of their choice for one year,” he said. “This is a courtesy offered to students so they have a common address they can use in the job market. Up until this summer, those were not automatically filtered.”

• The third step, recently endorsed by the Senate computer usage committee, is expanding mandatory spam filtering to all University accounts. “As of last month, there were about 8,000 accounts that were not being routed through the spam filters. That is being changed. CSSD has begun the process and expects to finish by the end of October.” Users will be notified they can’t disable the spam filter, he said.

“All that should help reduce the amount of blacklisting that we encounter, but it probably will not eliminate it,” Pike said.

University statistics show that, in March 2008, 505 million email messages were received into the pitt.edu system. “That’s half a billion in one month. Of those, approximately 81 percent — over 400 million — are spam,” Pike said. “The general estimate, however, is that 90 percent of all email traffic is spam. So if 81 percent is being captured that’s 9 percent that’s not being captured and potentially is then being forwarded on.”

Individual users can take several steps to help the cause, Pike said.

“Practice safe computing. Avoid compromised computer problems by staying in control of your password. Change your password periodically. Don’t reply to any emails you receive, including emails that appear to come from pitt.edu, requesting your password,” he said.

The standard recommendation is to change a password every three months. Making that mandatory currently is under discussion.

“For those of you who choose to forward your email, while we’re not trying to dissuade you from that, be aware that is contributing to some degree to the problem,” Pike said. “If you are forwarding your email, make sure you’re using the spam filter correctly and robustly.”

On the flip side, in order to avoid losing legitimate email that is trapped in the spam filter, users should check their message center regularly. Email trapped in the filter remains accessible for 30 days, he said.

“I don’t think we on the committee are going to say this is a perfect solution. We’re going to have to deal with email filters and some blacklisting,” Pike said. “We encourage you to use your spam filter at the highest comfort level. If you are using it aggressively, you have to check your spam filter more often to make sure you’re not missing communiqués from students, and so forth.”

More information on blacklisting and its prevention is available on the CSSD web site: http://technology.pitt.edu/Email.aspx?mp=2&body=E-mail/blacklisting.htm.

—Peter Hart