Email filtering at Purdue is largely effective, here’s why it may not seem like it sometimes

Phishing emails typically try to provoke fear and stress urgency to get you to click a link or take some other action, like entering your password.

That call for grant proposals you were waiting for got quarantined as spam but the third phishing email this week offering you loads of “cool cash” for dog walking just hit your inbox. What gives?

How Purdue email is filtered to weed out spam, phishing and other malicious mail depends, in large part, on where the message originates.

Mail from outside Purdue’s Office 365/Outlook email system passes through Cisco filtering, which uses a proprietary algorithm to decide whether a message should hit your inbox or be shuttled to the Cisco Quarantine holding area. (Note: While these filtered messages generally originate externally, some campus units operate their own mail systems, rather than using Office 365, and these messages are filtered too because the scanning system views them as “external.”)

Why does Cisco let so many phishing emails through?

The short answer is that it doesn’t. Phishing emails campus users receive are most often sent from legitimate Purdue accounts that have been compromised – in many cases, ironically, because the user fell for a phishing email and gave up their username and password to the bad guys.

Purdue Office 365/Outlook email does not pass through the Cisco filter so neither do these “internal” phishing messages.

  • Purdue Office 365 user to Purdue Office 365 user messages, both good and bad, do pass through Office 365’s built-in mail filter and could end up in your Outlook Junk Email folder.
  • Just as you check your Cisco Quarantine you should check your Junk Email folder regularly and move messages you actually want to your Inbox.
  • Office 365’s filter tends to trust mail from another Office 365 user, however, so its effectiveness can be hit or miss. Hence the “cool cash” and other phishing emails that get passed around the University regularly.

ITaP security shuts down compromised Purdue accounts rapidly, halting distribution of phishing emails from the account. ITaP also scans all Purdue mailboxes looking for copies of phishing messages that have been distributed and removes those as part of the remediation process.

The fact is that the Cisco filtering system catches and blocks most of the junk and malicious messages trying to pass through it on the way to Purdue inboxes. Does bad email ever get through? Cisco filters upwards of 30 million emails coming to Purdue in a given week and scammers are constantly evolving techniques to defeat filtering. Law of averages suggests at least some problem messages will sneak through. But it’s actually uncommon.

Why does Cisco catch “good” emails?

While Cisco’s filter is good at its job, it will occasionally quarantine messages you actually want, like a job or internship offer. Sometimes legitimate email has qualities that make it look like known junk mail to the filtering system and cause it to be quarantined. This makes it important to remember – Review. Release. Safelist.

  • Every day you receive a Cisco Quarantine email that lists the emails in your quarantine queue. You should always Review this list. (Note: You don’t get a Cisco Quarantine mail if you have no messages quarantined.)
  • You can click the Release link on the left side of the entries in the quarantine list to release a message to your inbox.
  • This also brings up a box with an Add Sender to Safelist button in the lower right corner. Clicking the button will Safelist the message’s sender so mail from them isn’t quarantined in the future. (Even non-Office 365 email from some Purdue sources, such as Athletics and Convocations, may be caught if you don’t safelist them.)

If you are waiting for mail and you think it may have been caught by the filter, you can Review your quarantine and Release messages anytime by clicking the view your email quarantine link that is on the top right of the quarantine list in any Cisco Quarantine email. Messages are held in quarantine for 10 days before automatic deletion.

What can I do?

To avoid being the next one to have your account compromised, keep these three tips from ITaP’s security staff in mind when you check your inbox:

  • Providing personal information (passwords, Social Security numbers, account numbers, and so on) through email (or by phone) in response to an unsolicited request is always a bad idea. Purdue will not ask for your credentials by email. If you receive an email requesting private information, report it to abuse@purdue.edu.
  • Emails containing clickable web links should always be questioned, even if they look like official Purdue email on the surface. Best bet: don’t click email links. If you do, don't enter your password or other information at a website unless you are certain it is a valid. If you are not sure, email abuse@purdue.edu and ask.
  • Never open any attachment sent with an email if you do not know the sender and, even if you do know the sender, are not expecting the attachment from them. If you're unsure, check directly with the person. If they report that they did not send the message, report it to abuse@purdue.edu.

While some phishing emails look legitimate, there are often telltale signs that a message is a scam. Grammar and spelling mistakes are red flags. So are calls for immediate action, including instructions to visit a website and sign in with your Purdue credentials or to open an attachment.

Visit the Secure Purdue website, https://www.purdue.edu/securepurdue/, for more information on staying safe online and keeping your personal data and Purdue's data secure.

Writer: Greg Kline, IT communications manager, Information Technology at Purdue (ITaP), 765-494-8167, gkline@purdue.edu.

Last updated: November 18, 2019