i get like 4 pages of spam a day

12/28/2007 4:46:23 PM

maybe you shouldn't have signed up for all those porn mailing lists

12/28/2007 4:49:08 PM

stop using your unity account for porn websites

[Edited on December 28, 2007 at 4:50 PM. Reason : ^fucker beat me]

12/28/2007 4:49:28 PM

use the filtering software that ncsu has

12/28/2007 4:49:58 PM

^^


it's the slippers

[Edited on December 28, 2007 at 4:50 PM. Reason : ^]

12/28/2007 4:50:28 PM

The correct answer is no, you cannot get a new Unity account. It is automatically generated for you, and we do not make new ones in situations like this. As was suggested by others, the PureMessage filters do an excellent job of cleaning spam from most Unity accounts.

More information and setup instructions: https://sysnews.ncsu.edu/tools-php/spam-filter-setup.php

You're welcome to PM me with further questions.

12/28/2007 6:08:39 PM

i never ever ever ever used my unity account for anything besides school, and it got killed with spam. i also had a privacy block throughout college. therefore, one of these things occured:


1) NC State sells your email to credit card companies and other agencies who market to college kids. In turn, your email address ends up on lists

2) NC State does an ineffective job in stopping spammers from fishing for valid email addresses. if they know the account structure and get a list of common last names, they can generate hundreds of thousands of "potential" email addresses almost instantly, and test most of them for validity in a day or two. It's pretty obvious that ncsu doesnt do anything to block hosts who bombard the mailservers with bullshit addresses.

3) Spammers harvested the directory. Anyone with a minimal knowledge of something like VB can harvest a student directory in no time... especially in the format it was in back in the day

4) Spammers harvested the root directory listings for the unity/users/a /b /c /d etc, thereby collecting tons of email addresses. anyone who ever used the old www4 knows what i'm talking about.

IF ncsu doesnt sell the addresses, its still their fault for making it SIMPLE for the addresses to be harvested. they should provide new addresses to the people who want them, and make sure to keep the IDs out of the reach of anyone with minimal computer literacy. and the IT department at ncsu would rather make up excuses and lies than fix the problems that the state information auditor has asked them to look at for years now.



[Edited on December 28, 2007 at 6:38 PM. Reason : .]

12/28/2007 6:36:29 PM

that is one thing that i like about georgia tech

they have a system set up so you can change your email address at any time to whatever you want

i went with firstname.lastname@gatech.edu and if that ever gets hit with spam ill just change the . to something else like a _ or -

12/28/2007 6:39:09 PM

I never used my unity account except for school and I got waay to much to manage.

12/28/2007 6:46:48 PM

thats not a bad plan if youre stuck with that setup

i always felt that important email addresses and especially system LOGINS should NEVER be tied to anything that can potentially be duplicated /guessed by a spammer or hacker. like... it shouldnt be in a format that the email formula can be calculated. if they can calculate most of the potential email addresses, the whole system integrity is weakened.

since yours keeps getting guessed and passed around, i'd see where it exists online and remove it. example, student directory like i was talking about earlier. there are so many bots out there that if its in a directory somewhere, it doesnt matter how much you change it. lots of spam botnets update their databases weekly

12/28/2007 6:47:11 PM

jackleg, none of what I posted above is lying or excuses. my response provided an effective solution to the problem posed by the original poster.

12/28/2007 6:56:55 PM

oh i didnt know you were with the ITD

i was speaking as an in general, not about your post. you did offer help and a type of solution to the problem... just like i was pointing out what i felt the roots of the problem were. but i think you know what i'm talking about too when i say that you guys could make it a little harder for the bad guys to get and test their address lists.

also, its not something i'm gonna sit here and argue all night, but ive seen plenty of instances where IT should have admitted fault, but blame was placed elsewhere. this is a worldwide thing, not pointing at you guys alone when i say it

12/28/2007 7:05:03 PM

fair enough. for what it's worth, there have been a lot of recent changes to the IT structure at NC State, so those of us that work in IT there are hoping to see some interesting and positive changes come out of our transition.

i agree that IT folks at the university can be slow to respond to change. sometimes that's due to a lack of practical information, and sometimes because we're concerned about how changes will impact the campus community.

12/28/2007 7:13:00 PM

http://www.ncsu.edu/it/essentials/email_messaging/pure_message/index.html

[Edited on December 28, 2007 at 7:44 PM. Reason : you might be able to get a different email address but it'll all point at the same box]

12/28/2007 7:42:53 PM

jackleg is like everybody else who gets tons of spam and thinks it isnt their fault.

its real simple, people: quit using your primary (unity) email to sign up for mailing lists, social forums, and buying bullshit off the internet. thats what gmail/hotmail/yahoo are for.

if you only used your unity email for friends/family/school/work... you wouldn't get hardly any spam. maybe one or two dictionary attacks on the ncsu domain would slip past the servers, but nothing worth worrying about.



[Edited on December 28, 2007 at 7:46 PM. Reason : ]

12/28/2007 7:45:17 PM

Quote :

"jackleg is like everybody else who gets tons of spam and thinks it isnt their fault. its real simple, people: quit using your primary (unity) email to sign up for mailing lists, social forums, and buying bullshit off the internet. thats what gmail/hotmail/yahoo are for. if you only used your unity email for friends/family/school/work... you wouldn't get hardly any spam. maybe one or two dictionary attacks on the ncsu domain would slip past the servers, but nothing worth worrying about."

I've used my school email only for school (for a short bit, before I got gmail), family (likewise), and things like TWW and student-related stuff (e.g., facebook, verifying student status for discounts with Verizon and the hurricanes)


I get so. much. fucking spam. I've also had a privacy block since I found about it (middle of fall of 03?)

Jackleg explained pretty well how easy it is to spam NCSU students that I can't believe you really think this.

And hell, my last name is very rare. It's not like my unity is jdsmith3

[Edited on December 28, 2007 at 8:16 PM. Reason : ldkj]

12/28/2007 8:14:04 PM

Quote :

"its real simple, people: quit using your primary (unity) email to sign up for mailing lists, social forums, and buying bullshit off the internet. thats what gmail/hotmail/yahoo are for."

The only things I have used my unity account for are: correspondence with groups from my classes, sign-up for TWW so it was free, sign-up for facebook, and epack (which is linked to experience). All of these have been set up for quite some time and it is only within the past 6 months to a year that I have been getting any spam.

12/28/2007 8:18:14 PM

Quote :

"jackleg is like everybody else who gets tons of spam and thinks it isnt their fault. its real simple, people: quit using your primary (unity) email to sign up for mailing lists, social forums, and buying bullshit off the internet. thats what gmail/hotmail/yahoo are for."

hardly. i know you're more familiar with how i use my email addresses than i am, but i'm gonna stand by what i said earlier. my ncsu email was only used for ncsu classes and ncsu business. my hotmail account was used for anything else, and now its the same with my work email. i use 2 gmail accounts for those "other" things -- and i get ZERO spam at work, because my email address is kept internally and is not able to be harvested

even the guy with ncsu ITD agreed with me. with the way ncsu was set up when i was in school, it was possible to never even TELL ANYONE your email address and still get spam, just because your ID was visible to anyone who dug in the right places. and the ncsu ITD even "admits" that that information was never as secure as it should have been, and have taken steps to fix that as of late.

12/28/2007 8:25:49 PM

jackleg, I just went back and re-read what I wrote earlier this evening. I don't believe any of what I said was "admitting" one way or another to your points. I stated that I can agree to the fact that we can sometimes be slow to respond to change, and that we're going through a major reorganization.

I've lurked for the most part on TWW, and occasionally I'll post messages in threads such as this. I've seen this topic of conversation come up once every few months or so.

What I will say in response to some of the assorted complaints both here and in other threads is this: yes, the IT staff at the university does listen carefully to what students have to say on a variety of topics. We do our best, and we know that sometimes that's not always good enough. We encourage participation in discussion to improve our services, and I'll be happy to pass along suggestions.

[Edited on December 28, 2007 at 8:36 PM. Reason : .]

12/28/2007 8:29:58 PM

i know most of us aren't comfortable with the term "admit", so i'll replace admit with acknowledge and it will still mean the same thing. that's not the point, and there's no need to let ego get in the way of solving problems with information security.

i just have one question that i'd like you to answer honestly. based on the methods i talked about in my earlier post, especially harvesting usernames from the old www4/users/a..b..c..z/, isn't it quite possible for someone to get spam email without ever telling anyone their unity ID because of that "security flaw" or "thing we didnt want to change because of society" or whatnot.

simple question, and we all know the answer. i don't mean to insult your job or ego, i'm just pointing out that you agree that more could be done (at least at the ncsu i remember) to prevent this shit.

12/28/2007 8:44:23 PM

I didn't take it to be a personal ego thing, nor anything insulting. I wanted to clarify what I said earlier, that's all. For now, I'm going to return to lurking. Hope folks have a nice evening and enjoyable New Years'.

12/28/2007 8:50:29 PM

you didn't answer the question. just one question, come on

just to clear up what i'm talking about in case you don't know

i have no idea how it works now, but the personal webspaces used to be on www4.ncsu.edu/unity/users/letter/id

like mine was http://www4.ncsu.edu/unity/users/d/dtoakley/

but if you browsed to http://www4.ncsu.edu/unity/users/d/ - there would be a listing of every single person who had a unity account starting with d. same for every other letter. i can't remember if this included eos users or not, but the information was there for the taking for a number of years and no one ever stopped it, and i always wondered why. especially since those weren't just email addresses, they were LOGINS to the unity "environment"

[Edited on December 28, 2007 at 8:51 PM. Reason : /]

12/28/2007 8:51:07 PM

My apologies, I didn't see your question at first.

If I remember correctly, browsing indexes was disabled on the WWW4 pool a while ago, though I couldn't begin to guess when exactly. As for why it was allowed in the first place, I can only speculate. My guess, however, is that it was either a decision or an oversight made by someone that was configuring WWW4 services when they were first allowed. It probably wasn't an intentional policy decision or something along those lines.

Basically, we disable viewing directory listings for the most part except when it's actually needed. I believe that's the default that we set for most of the servers that run Apache in our environment these days.

12/28/2007 8:58:04 PM

its all good. and yeah thats why i always thought it odd that there wasnt at the minimum a placeholder index file to prevent browsing at the least. and thats just client side. thats the part where i'm saying we agree that it would be entirely possible for anyone listed in that tree to get their userID picked up by a bot (or human with a pencil, ha ha) - therefore allowing someone to send spam to people who have never even used their email account before, along with people who only used the account for school. in other words, that 'flaw' (as i call it) alone would allow the result that i talk about in my original post

i kinda drew the "admit" and "agree" and all that stuff from the inferences that can be made based on what we agree on. haha

also, if you read up on some of the information systems / security audits done on NCSU over the years, you'll see that ITD was advised several times to fix it back in the 90s

[Edited on December 28, 2007 at 9:08 PM. Reason : /]

12/28/2007 9:05:23 PM

Well, stuff like what you've described here is why we've made such a significant investment in anti-spam features, such as adaptive solutions like PureMessage. We've actually been reluctant to force-enable it on all Unity accounts, because we have a lot of users that don't know that it exists or how to make use of it.

FWIW, I've made a standing offer in the past to discuss technology usage at the university, and I'll try to answer questions as best I can.

12/28/2007 9:15:35 PM

and i definitely hope people take you up on it, cause im sure you can help them out. i'm actually in rare form, i tend to keep my opinions to myself when it comes to ncsu

12/28/2007 9:22:59 PM

Quote :

"We've actually been reluctant to force-enable it on all Unity accounts, because we have a lot of users that don't know that it exists or how to make use of it."

By force-enable, do you mean
(a) tell them they must use it, and expect them to turn it on
(b) turn it on, perhaps asking their permission
?

Isn't there some clause in the usage policy that you must use your email responsibly? Using the tools the university provides to block spam seems pretty responsible to me.

Whether folks know how to use it or not, make them. Especially if it's case (b), where they have to do nothing.

12/28/2007 9:23:57 PM

By force-enable, I meant "turn it on without asking." That said, I realize that I actually mis-spoke. We DID start auto-enabling PureMessage filters on NEW Unity accounts something like a year or more ago. I don't remember the exact timeframe, unfortunately. But that's only for new accounts. Anyone who already had an existing account at that time did not see PureMessage enabled by default. It's THOSE older users that tend to send in the spam complaints.

Unfortunately, there isn't really a policy that applies to responsible use of e-mail, except where it applies to specific abuses of the mail system.

12/28/2007 9:29:02 PM

I spent 5 1/2 years as NCSU (2000-05) and used my Email account for school only. I didn't use it as my primary Email address, I didn't use it to sign up for a single thing, and I did not list it in any shape form or fashion. It was for Emailing school departments, professors, project partners, and the like. And frankly, I did see spam, but it really wasn't anything worth mentioning -- certainly not unmanageable.

And my unity ID: elsmith9. As freakin' common as it gets.

[Edited on December 28, 2007 at 9:31 PM. Reason : go go smith]

12/28/2007 9:30:02 PM

There might be something in the student code of conduct pertaining to responsible use of university resources



Are you all not able to just go in, and for anyone who doesn't already have it set up, turn on PureMessage?

12/28/2007 9:31:11 PM

Quote :

"And frankly, I did see spam, but it really wasn't anything worth mentioning -- certainly not unmanageable."

but under the circumstances you described using the account, you should have never seen any spam.

just makes you wonder how that email address got out there. and thats the whole point.

12/28/2007 9:37:54 PM

We definitely can, but the second half of enabling such a change comes in educating the user on how to actually use the spam filtering. That's actually pretty hard to do.

12/28/2007 9:38:26 PM

i forward my unity id mail to gmail. Gmail does a good job to filter the spam.

12/28/2007 9:40:53 PM

so this sounds kinda like a filtering system, like where you can put email from X or with subject containing Y etc etc?

i was thinking of something that uses something like graham filtering or systemwide blacklisting. do you guys do that automatically? i could see the problems that come with turning on filtering for people who dont know how to use it, but what about the stuff that works behind the scenes?

12/28/2007 9:46:41 PM

I don't believe that we do systemwide blacklisting as such. We'll block incoming connections from hosts on the Internet that are actively sending spam. Aside from that, filtering is done by the PureMessage software, for which we have a definitions subscription, similar to that of AV software. I believe our filter "definitions" are updated hourly.

Since you asked, the specific documentation we provide on the filtering software is here: http://www.ncsu.edu/it/mail/puremessage/

Users can setup their own header filters, similar to what you described, for use in either Webmail or a standard mail client.

12/28/2007 9:55:47 PM

ahhh, that's pretty cool. i've been doing a lot of reading lately on rootkits and definition building and all that jazz, but it has been pretty specific to reading and dissecting malware/hidden process/rootkit type stuff, and not antivirus type stuff. but spam definitions used along with blacklists and traditional spam algorithms could put take a big bite out of the problem. but with me its all about prevention to begin with, if possible

12/28/2007 10:04:43 PM

Quote :

"Jackleg explained pretty well how easy it is to spam NCSU students that I can't believe you really think this."

it's no easier to harvest email addresses at NCSU than it is at most any other university, company, or institution. anyone can bruteforce a dictionary attack on userID's versus any given domain name.

certainly the NCSU IT dept has basic spam filtering in place. its not hard. you can buy the service or roll your own. Hell you can get a free subscription to SpamHaus and their RBL, XBL, and CBL lists ... this alone will block >90% of all internet spam.

I was careless with my first unity address (posting on USENET), and it got swamped with spam. i was careful with my next unity address (i dropped out for 2 years then came back), and i never had a problem with spam up until i graduated in '03

now my brother has been a student there since 03. he uses his unity address regularly for class lists, study groups, extracurriculars, friends/family correspondence. He's gotten like three (3) pieces of spam this semester.

clearly, you people are doing shit that exposes your addresses.



[Edited on December 29, 2007 at 1:39 AM. Reason : ]

12/29/2007 1:37:18 AM