What is up with this spam e-mail?

All spam e-mail is sent for one reason: money.  The original phishing e-mail that was sent to JCU on Saturday, March 2, was also sent to Case Western Reserve University.  Many other universities were likely targeted as well.  The people who sent out the phishing message most likely sold off the username/passwords that members of the JCU community sent back to them to spammers.  The spammers logged into the JCU e-mail server and used the system to send out tens of thousands of messages telling the recipients they won a lottery or they won something from Pepsi.  While the JCU e-mail server can send out over one-thousand messages per minute (this is what the spammers find attractive!), many of the e-mail addresses the spammers send to are invalid.  The server is designed to make sure it delivers every message. When an invalid address is encountered, processing slows down significantly.  As hundreds to thousands of e-mails with invalid addresses stack up, response on the server grinds to a halt.

Spammers work on the law of averages.  Just as some of the JCU community members responded with their username and password, there are people who will respond with their bank account and credit card numbers.  By sending out thousands of messages, the spammers only need a few responses to make the result worthwhile.  In addition, since each individual theft is typically small, it is difficult to obtain law enforcement attention to address the problem.

JCU IS staff has been working with the e-mail system vendor to put safeguards in place to make the JCU e-mail server less attractive to spammers.  The current maximum number of recipients for any one message has been reduced from 2000 to 50.  This limit had been set to accommodate different programs on campus, but is no longer an option.  Filters are also being tested which will be much more restrictive on message delivery.  E-mail server tuning is a balancing act.  While more restrictive filters will sharply curtail spam attacks, they may also hinder legitimate use of the server. 

Another consequence of the JCU server being used as a source of spam is the block (or black) listing of the server by some Internet Service Providers (ISPs).  JCU IS staff is working diligently to convince these ISPs to remove the JCU server from their block list. 

Early-warning measures have also been put in place which should allow the IS staff to respond to future attacks more quickly.  In addition, alternative e-mail systems and providers such as Gmail and Microsoft Live @ edu are being evaluated as potential replacements for the current system.

Why has the server been so slow?

As mentioned above, this is due to suspected software problems.  JCU IS staff has been working with the server vendor to isolate the problems and correct them.  Two patches were applied on Monday, March 10th which appear to have had a positive impact on server performance.  Another major patch is currently being tested by the vendor and is expected to be released in the near future.  This patch should address additional identified issues.  The software on the e-mail server has not changed since last November which indicates that the source of the software problems originate in the interaction of the server with other programs.  Indeed the patches applied on Monday relate to the interaction between the sever and IMAP clients such as Outlook.  It is likely the case that a change in the Outlook client (and possibly other clients) is the source of the slowness issues which appeared mainly in the webmail client.

In Summary

The IS staff fully understands the difficulty this situation has caused and will continue to address it until an acceptable, long-term solution has been identified and put into place.  Thank you for your patience and consideration as we continue to strive to deliver the top-notch service you have come to expect.  In addition, thank you for taking the time to read all the way through this long explanation!  As you have seen, the issues involved are complex.

Please feel free to contact me directly with any questions you may have.  I will do my best to respond to them in a timely fashion.

Jim Burke

Information Services