Detect malicious emails

Detecting pishing mails and mails with malware

Unfortunately, it is not possible to prevent malicious emails from reaching HTW-Dresden time and again. Mail addresses must be published for teaching and public relations purposes, and are therefore known.

Please delete such mails from your mailbox immediately!

Malicious e-mails include:

  • Pishing e-mails: Attempts to obtain the user's personal data via fake websites or e-mails in order to commit identity theft / to passwords
  • E-mails with malicious code (ransomware, Trojans, backdoors)

How do you recognise such mails?

Even one or two applicable points can be a sufficient indication of a forgery:

  • Fake / strange sender address / recipient address (e.g. the sender address is not an HTW email but e.g. a Gmail address, although the alleged sender is a member of the HTW).
    • Attention, the sender can also be fake!!! A known sender is no guarantee of authenticity!
    • Often similar addresses are used (e.g. amzon.com, instead of amazon.com)
    • In Outlook, HTW-internal senders are displayed with last name, first name
  • meaningless subject,
  • missing of personal address,
  • the content is absurd or in bad spelling/grammar
  • There are threats of consequences; e.g. a mail account deletion for not responding in 48 hours.
  • a copyright symbol in the text,
  • ominous external link,
  • missing of a closing salutation,
  • missing text signature,
  • the mail was sent during the night
  • Error in the official designation.
  • Missing PKI signature
    • On the web page sign and encrypt you will find detailed information on sending mails with a signature and on how to recognise the signature.

Further examples of the distribution of mails with harmful content

  • Reply with a forged sender to a mail communication that really took place:
    • E-mail traffic is easy to intercept if it is not encrypted. If in doubt, ask via another medium (e.g. via a phone call) whether the content or attachment is really relevant.
  • Mail traffic from an account hijacked at the HTW-Dresden with a real HTW sender address
    • In this case, send an email to service.rz@htw-dresden.de so that we can block the hijacked account.

Überprüfung des Mail-Headers

Check in Outlook

To check the header of a message in Outlook:

  • Open the message with a double click
  • Click on the box for message options under the item Marks.
  • Under Internet headers you will now find the sender of the mail under FROM and the history of the e-mail traffic

Check in Thunderbird

To check the message To check the message header in Thunderbird:

In the menu, select View --> Headers and there select All

 

Structure of a web address

How do you recognise a web address and its origin?

A web address has at least the following components (explained with 2 examples):

https://(1)www(2).htw-dresden(3).de(4)/(5)hochschule/organisation/rechenzentrum/arbeitsplatz-und-kommunikation/e-mail/signieren-und-verschluesseln(6)

https://(1)jobboerse(2).htw-dresden(3).de(4)/(5)jobsuche/(6)

1 http:// oder https:// Denotes the protocol
http is unencrypted, please do not submit any confidential data to the website here
https is encrypted
2 www
jobboerse
Server name,
can also be composed of several parts, with .separated
3 htw-dresden Domain, on pages of the HTW Dresden always htw-dresden
4 Land de=Germany com=commercial*
org=organisation*
net=Network management*
5 / Any information can be placed after this /
6 Directory the directory can have any depth and any name

*Can now be awarded to any operator

By moving the mouse over a link (no click!) the real link is displayed.

Here are three examples of a hidden link abroad:

Beispiele für gefälschte Links

This link suggests that it is linked to the HTW-Dresden.

However, when the mouse button is hovered over, an address in Turkey is displayed (recognisable by the .tr)

This mail has several spam characteristics:

  • It was sent in the middle of the night
  • It contains the threat that the account will be blocked in 24 hours and 7 mails are waiting to be read
  • the sender is not from the HTW
  • The link leads to Montenegro (.me)

Even though in this case htw-dresden.de is included in the mail address, this is a link pointing to a web address in Greece.

All information after the first simple / designates only the directory structure and does not contain any information about the server!

HTW-Dresden will not ask you to change your login data via a link.

This link leads to a completely different address.

Always change your password by going directly to www.htw-dresden.de --> University --> IT Service Centre --> User management and drives --> Change HTW-Login-Passwort  or via a method described on the page "Hints on changing the password"