Re: Response to phishing e-mails

[Roger A Safian <r-safian () NORTHWESTERN EDU>]

We typically just respond with our auto reply, unless we need specific information.  Here's a copy.

Thanks for contacting the Northwestern University Information Security team.  This reply confirms our receipt of your 
message and provides information on our team's policies and procedures.

We appreciate your personal commitment towards keeping the Northwestern network secure.  If you are reporting a 
suspicious email please note that we are particularly interested in messages trying to obtain credentials for 
university services.

The University does prevent most fraudulent or unsolicited bulk messages from reaching our network, but there will 
always be some that get through.  You can manage these through your personal email client.  Help is available by 
sending a message to consultant () northwestern edu.

Do not click on any links or submit personal information in response to any suspicious messages.  If you did submit 
personal information please change your NetID password at once and notify us immediately, otherwise simply delete the 
message.  We will attempt to get the fraudulent site disabled and block access from Northwestern's network.

You may not receive any further replies about the status of this incident due to privacy and legal restrictions, but be 
assured that we investigate and take appropriate action on any and all information sent to this address.

If you have any further information to share with us about this incident, please reply to this email to ensure that 
your correspondence with us is properly tracked.

Additional information about spam:

"From:" email addresses are easily and commonly forged and are not an appropriate way to determine where a spam message 
originated.  If a spam email's only association to Northwestern University is the presence of northwestern.edu in the 
email address with no accompanying Northwestern University IP address in the email headers, we have had no part in its 
origination and can take no mitigating action.

With this in mind, we require the full email headers to investigate any spam complaint.  Please verify that the email 
originated on our network by finding the original IP from the email headers and doing a whois lookup on that IP address 
(more information can be found at whois.arin.net).

If you have trouble obtaining the email headers, please follow the below link for instructions on how to do so within 
many common email applications:

<http://oit.nd.edu/email/fullheaders.shtml>

If you are reporting a bounce notification for a spam message that you did not send, your email address is likely being 
forged in spam mails.
There is unfortunately nothing we can do to stop those bounces, and we suggest that you filter those messages in your 
email client until they subside.

--
NUIT - Information Security (1 business day response time) Non-Emergency Phone: (847)467-6662 (8:30AM-5:00PM, Mon-Fri
                                    ask for Security)
Emergency Phone:     (847)467-6662 (24/7/365--ask for the On-Call
                                    Network Engineer)

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Leland 
Lyerla
Sent: Monday, October 27, 2014 1:24 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Response to phishing e-mails

As they become more aware of how to identify phishing e-mails, our faculty and staff let us know via e-mail when they 
come across one in their in-box. I do not want to discourage their vigilance, but I would appreciate any suggestions on 
how to manage/respond to these messages.

Leland