Detecting pishing mails and mails with malware

Unfortunately, it is not possible to prevent malicious emails from reaching HTW-Dresden time and again. Mail addresses must be published for teaching and public relations purposes, and are therefore known.

Please delete such mails from your mailbox immediately!

Malicious e-mails include:

  • Pishing e-mails: Attempts to obtain the user's personal data via fake websites or e-mails in order to commit identity theft / to passwords
  • E-mails with malicious code (ransomware, Trojans, backdoors)

You have accidentally entered your password?

If you have accidentally entered your password on the linked address of a malicious mail, change it immediately via the HTW websites or on your domain PC. Instructions for changing the password can be found on the ZID web pages.


How do you recognise such mails?

Even one or two applicable points can be a sufficient indication of a forgery:

  • Fake / strange sender address / recipient address (e.g. the sender address is not an HTW email but e.g. a Gmail address, although the alleged sender is a member of the HTW).
    • Attention, the sender can also be fake!!! A known sender is no guarantee of authenticity!
    • Often similar addresses are used (e.g., instead of
    • In Outlook, HTW-internal senders are displayed with last name, first name
    • Make sure that the tone of voice matches the alleged sender
  • There are threats of consequences; e.g. a mail account deletion for not responding in 48 hours pressure from an alleged superior.
  • A strong sense of urgency is conveyed
  • Curiosity is aroused (the news is too good to be true)
  • meaningless subject,
  • missing of personal address,
  • the content is absurd or in bad spelling/grammar
    • Attention! Due to the possibility of generating or translating the text with AI-supported tools, this need no longer apply
  • a copyright symbol in the text,
  • ominous external link,
  • missing of a closing salutation,
  • missing text signature,
  • the mail was sent during the night
  • Error in the official designation.
  • Missing PKI signature
    • On the web page sign and encrypt you will find detailed information on sending mails with a signature and on how to recognise the signature.

Further examples of the distribution of mails with harmful content

  • Reply with a forged sender to a mail communication that really took place:
    • E-mail traffic is easy to intercept if it is not encrypted. If in doubt, ask via another medium (e.g. via a phone call) whether the content or attachment is really relevant.
  • Mail traffic from an account hijacked at the HTW-Dresden with a real HTW sender address
    • In this case, send an email to so that we can block the hijacked account.

Überprüfung des Mail-Headers

Check in Outlook

To check the header of a message in Outlook:

  • Open the message with a double click
  • Click on the box for message options under the item Marks.
  • Under Internet headers you will now find the history of the e-mail traffic
  • Pay particular attention to the Received: from and MessageID fields.
  • You can find examples of forged sender addresses at the bottom of this page

Check in Thunderbird

To check the message To check the message header in Thunderbird:

In the menu, select View --> Headers and there select All


Structure of a web address

How do you recognise a web address and its origin?

A web address has at least the following components (explained with 2 examples):



1 http:// oder https:// Denotes the protocol
http is unencrypted, please do not submit any confidential data to the website here
https is encrypted
2 www
Server name,
can also be composed of several parts, with .separated
3 htw-dresden Domain, on pages of the HTW Dresden always htw-dresden
4 Land de=Germany com=commercial*
net=Network management*
5 / Any information can be placed after this /
6 Directory the directory can have any depth and any name

*Can now be awarded to any operator

By moving the mouse over a link (no click!) the real link is displayed.

Here are three examples of a hidden link abroad:

Beispiele für gefälschte Links

This link suggests that it is linked to the HTW-Dresden.

However, when the mouse button is hovered over, an address in Turkey is displayed (recognisable by the .tr)

This mail has several spam characteristics:

  • It was sent in the middle of the night
  • It contains the threat that the account will be blocked in 24 hours and 7 mails are waiting to be read
  • the sender is not from the HTW
  • The link leads to Montenegro (.me)

Even though in this case is included in the mail address, this is a link pointing to a web address in Greece.

All information after the first simple / designates only the directory structure and does not contain any information about the server!

HTW-Dresden will not ask you to change your login data via a link.

This link leads to a completely different address.

Always change your password by going directly to --> University --> IT Service Centre --> User management and drives --> Change HTW-Login-Passwort  or via a method described on the page "Hints on changing the password"

Mail header of a forged sender address

Instructions on how to access the mail header can be found at the top of this page

Here, the mail supposedly comes from an HTW mail address.

You can see from the marked entries that this mail actually comes from a server with a foreign IP and foreign server name.

Also pay attention to the MessageID entry. Here, too, it is obvious that this mail originates from a foreign server.

You can see from the first entry that the mail does not come from the HTW, but from Japan.

The message ID is the ID of a foreign server.