Information Technology Systems and Services.
ITSS home

infotech.NEWS

Technology news for UMD faculty, staff and students

Why Does it Say [Warning: Phish?] in My Email Subject Line?

The prefix [Warning: Phish?] on an email subject line helps to alert you of a possible scam. It is added to a message, which is suspected of being an unsolicited email that could lure you in and prompt you to provide valuable personal and financial information.

Phishing is a malicious attempt to acquire sensitive information by electronic communication. A typical example is an email message directing the recipient to provide their passwords, credit card details, or banking information.

Google, Yahoo, and other major players in mail routing block a lot of the Phish attempts that might otherwise clog your in box. ITSS goes further, utilizing a filtering mechanism that adds the text "[Warning: Phish?]" to any email that makes it into your in box, but has a pattern that correlates to known Phishing methods. We do periodic (nearly daily) reviews and tweak filters based on pattern histograms and sender demographics.

A few years ago, roughly 2 to 3 million emails directed to UMD accounts each day were not valid communications but were phish or some other kind of spam (unsolicited email). Only 2% of the incoming mail stream was valid at that time.

Currently, Google, Yahoo, and other major players are much better at filtering, and our volume of incoming mail is much smaller and more likely to be valid. Still, between 800 and 1000 messages per day are flagged by our filter. These are messages that Google missed and the vast majority of them are Spam and/or Phish.

Sometimes our filtering process results in a "false positive" and misidentifies a valid email message as a Phishing attempt. Following questions about that this spring, we did some work analyzing these false positives and initiating plans to improve the process.

Analyzing a representative sample (25% of the email marked with "[Warning: Phish?]" on a randomly chosen day) ITSS determined:

  • 1% was false positives - valid email messages incorrectly marked as "[Warning: Phish?]"
  • 50% were correctly identified as phish (looking for credentials personal data, financial info, etc.)
  • 49% were other types of spam - not Phish but also not valid messages.

While that may seem like a pretty good rate of success, it also means that about 8 emails a day are incorrectly labeled as Phish. That is too many and we want to do better. We have been considering three different methods to improve our process:

  • List of senders to be exempted: The upside of this approach is that mass email messages with priority could circumvent the process and we would at least eliminate any high profile false positives. The down side those accounts with the bypass privilege could be abused (spoofed or hacked). Then we would avoid a high profile embarrassment and potentially replace it with a high profile security incident. We have done this for a very few bulk senders (such as the Lyris system) and will continue to do so but we don't intend to do it for individual accounts.
  • Moderator: This is a process of quarantining suspicious messages and having a person or persons sorting through to allow the valid messages to pass through a temporary "purgatory." The upside is it would be extremely accurate. The downsides are that it is a terrible job for a human to have to do and it could delay messages quite a bit due to backlogs.We did try this method between 2008 and 2010 and learned that we do not want to do it again.
  • A bypass mechanism: In this scenario, emails that satisfy the bypass mechanism won't be tagged. In essence, this is creating a more complicated filter process than what we have now. The upside is that we would have a more accurate automated process. The downside is that this could be complicated and time-consuming logic for us to create because it is based on several interwoven criteria. This is our preferred approach.

Phishing and other spam are a constantly changing and huge issue for us. We will continue to try to stay ahead of most of the malicious sources, but it is likely we will continue to let some spam slip through and mis-identify a few valid messages. We appreciate your reports, questions and concerns about suspicious email. The best way to report them is an email to itsshelp@d.umn.edu or a call to 218-726-8847.

For more general information about Phishing, consult the Wikipedia Phishing Entry.