BETT: Brunel tackles harrassment with anti-spam

Violent, threatening emails are now quarantined and trackable at Brunel University, letting the IT team prevent online harrasment and track those guilty to help protect their students.

In a six-figure investment, the West London university signed up for Secure Computing's IronMail system just over three years ago in order to help them manage the deluge of incoming email, but it was quickly put to a more specific use when one of their 13,000 students was subjected to harrasment via email.

The details of the case were just recently disclosed by the university to protect those involved. According to Iain Liddle, policy development and quality manager at the computing centre, a Korean mathematics student was being harrassed by a British-Korean student using the university's own mail service. The harrasser accused victim Kim-Chan Sook of "betraying her homeland" by involving herself with students outside the local Korean community.

Using free web-based email accounts, the harraser sent over 150 messages to Kim-Chan, including death threats, and also sent messages pretending to be Kim-Chan to her classmates.

Liddle said many schools would simply change Kim-Chan's email address, but that her identity at the school was linked to it via her records and mailing lists, so he looked for another solution. Using IronMail, he had the ability to create a specific solution, he said.

"I saw that the solution for spam had all the hoops to allow it to solve this specific problem," Liddle told IT PRO on the sidelines of the BETT conference in London today. "IronMail had the ability to go straight for the jugular on this one."

First, Liddle used IronMail to create a specific anti-spam dicitionary including "a short and nasty dictionary of obscenities in the langauge being used," he explained. This let him flag and quarantine the inbound emails inorder to monitor the situation and see where the mail was coming from.

Liddle said he was convinced the harraser was Brunel-based, but discovered the email was being sent from eight accounts set up in the name of the victim herself - the harraser was using the accounts to send emails to Kim-Chan's classmates which appeared to be coming from her. The mail was being sent from a non-university IP, so Liddle couldn't simply shut it down.

After the emails became more violent, the Metropolitan Police were involved, but said they couldn't take action until Kim-Chan herself made a formal complaint. However, the quarantined emails collected by Liddle would have been good evidence had the case gone to court.

In the end, Liddle's quarantine was so successful that Kim-Chan saw no more emails in the four months to her graduation. "As far as she was concerned, we did exactly what she needed as far as stopping the email reaching her," said Liddle.

Such cases of harrasment by email are brought to Liddle's attention about every three to four months at Brunel, he said. "After the Kim-Chan case, we got better at it, and faster," he said, adding that now his team can react in a snap.

"We have a duty of care to protect staff and students against bad email in the same way as we do as ensuring no bad air in labs," he said. "No asbestos, no spam."

But it's not easy to balance blocking unwanted spam with so much diverse material coming into the university, he said. For example, anti-Semitic text is usually junked as spam. "But we do have a modern history department, which is talking about the holocaust," and might recieve materials containing certain key words, he explained. As well, his team needed to block viagra spam from some parts of the school without preventing health researchers from recieving their materials. "We needed to stop viagra spam from getting to secretaries in accounting while letting health sciences get what they might need," he said.

In this case, he used IronMail to apply quarantines in groups with a lot of granularity - letting certain type of mail get through to certain groups, but not others. "For most Secure Computing customers, it's a frill, but for some of these policies, we need to split people up," he explained.

The system has helped manage the five million incoming emails to those at the university recieve each week - some 98 per cent of which is stopped or quarantined. "When IronMail went in, it took an Alumni Officer just five minutes to sift through the morning mail, instead of up to two hours," Liddle said.

While some good email does get blocked, it's no more than a few incidents a week, much of which turns out to be a problem on the sender's end, said Liddle. "A little friendly-fire is accepted," he said. "The alternative would be horrendous."

But working with Secure Computing's latest innovations has let them improve their quarantines from text to include images, as well using reputation scoring for IP addresses to help prevent unwanted messages while still allowing good mail.

Indeed, Secure Computing takes feedback from all its customers, tracking day-to-day acticity. "For us, getting specific feedback, especially in targeted attacks, allows us to improve the product," said Mike Smart, Secure Computing's EMEA product manager. "For us, a lot of customers use different aspects of the product, so they feedback in a blended way which helps against blended attacks."

University students, such as those at Brunel, play a key part in gathering information about malware in email or on the web because they access such tools in a more diverse way than other people. "University users are in fact visiting a more diverse part of the internet than business or consumers... so it lets us get better coverage," Smart said, adding that many anti-virus vendors would never have to deal with an attack as targetted as that against Kim-Chan.

Email to a friend

Print this page

Social Bookmark this article: What is this?

Digg

Delicious

Reddit

StumbleUpon

Slashdot

Google

Facebook