From the Help Desk ... What is Email Spoofing? 

At the Help Desk, we are receiving reports of mailboxes being inundated with spam (junk mails). This problem is becoming more serious than ever before, and for many people the first thing to do upon opening their mailboxes is to delete spam. 

Sometimes you receive spam which appear to be sent by one of your friends or your colleagues.  If you try to reply and tell the sender to stop sending the junk mail, it will only lead to the return of an error message saying "user unknown" at the remote mail server. 

What you are seeing is the latest internet con game called email spoofing.  (Spoofing means to trick into believing or accepting something false as genuine.)

A spammer or a computer virus can forge the email packet information in an email so that it appears that the email is coming from a trusted host, from one of your friends, or even from your own email address. If you ever leave your email address at some Internet site or exchange email with other people, a spoofer may be able to use your email address as the sender address to send spam.

A computer virus (e.g. W32.Klez family of viruses) can use the email spoofing technique in spreading itself.  W32.Klez searches the Windows address book for email addresses and sends messages to all recipients that it finds.  The sender address, mail subject and attachment name of such email are randomly chosen.  Thus, such a virus will generate a lot of spam with virus attachments.  A recent report writes that W32.Klez has become the top virus at anti-virus companies, and a high percentage of email (1 in 300) carries it. (http://www.cnn.com/2002/TECH/05/27/virus.klezh/index.html)

A good paper on the technical mechanisms of spoofing can be seen at http://bau2.uibk.ac.at/matic/spoofing.htm

Many users have complained to the Computer Centre that they are receiving more spam than ever. This is because some computer viruses and real spammers are employing the technique of spoofing to disseminate their advertisements, and they do not care if you respond to their ads or not, they just want you to see their messages at least once. 

1. Closing open relay servers in HKU 

The Computer Centre has implemented the registration of departmental email servers so that our servers cannot be used for relaying spam. (See article in Computer News issue no. 94.)   Also, the mail servers of the Computer Centre are configured not to send mail for users who are not a HKU member.

As victims of spam attacks, you can print out the full header of the email and send it to "spam-report@hku.hk".  

2. Filtering of email viruses

The filtering of computer viruses in incoming email was implemented in 2001.  Starting in June 2002, we will also filter the viruses in outgoing email sent from our mail servers as well.  (See another article in this issue of Computer News.) This will reduce the spread of viruses and spam.

3. Stop spam from black-listed spam sites

It has been a common practice for email servers to consult a black-list of spam sites.  (For years the Unix email system "sendmail" has included program codes for consulting such a black-list.)  As the Computer Centre has always been asked by our users to tackle with the problem of spam, we use the ORDB black-list since 2000 to look up spam sites in order to minimise the influx of spam into our servers. 

The ORDB is an organisation for fighting spam by maintaining a black-list of open relay email servers. An open relay email server would process mail sending requests from anyone on the Internet.  It does not require that the sender of a mail message be a local user of that server or that the sender email address be a valid one.  These open relay mail servers are often used by spoofers to send out their spam. 

The administrators of a black-listed server can remove their server name from the ORDB database. The ORDB web site gives specific instructions for server administrators to follow to close the open relay on their servers and to remove their server names from the ORDB black-list. 

There is a side effect with using a black-list of spam sites and that is, legitimate mail from a black-listed server will also be rejected by our mail servers.  If you come across a situation where you cannot receive mail sent from a certain email server, you should obtain the rejection notice with the full header of the bounced email and send it to "ithelp@hku.hk". The Computer Centre will then verify whether the sender's server is indeed black-listed or the rejection was due to some other reason.  If it is due to a black-listed server, we will try to notify the sender's server administrator so he can rectify the problem. 

The onus is on the black-listed server administrator to take the necessary steps to close the open relay and to remove their server name from the black-list.