Email from TU Graz?

You think you have received an email with spam or malware etc. from TU Graz?
Of course this is possible, but it is quite unlikely. Up to this point, except for a few emails sent via phished accounts, all emails (i. e. the sender) were fake.

Did someone complain that you sent him an email with spam or viruses?
Of course, your computer could be infected with "malicious code" or malware (= viruses, Trojans, worms, …) and send emails unnoticed by you, but it is more likely that on another system your email address is specified as the sender address (forging the sender address without a digital signature is very easy!).

Even if you receive an email that you are not sure really comes from TU: if possible, analyze the header yourself (see below) or ask your IT officer. If you are unsure, he or she can also ask the postmaster: asking once too often is less harmful than passing on too much data once too often!

Since Oct. 1th 2021 we have activated SPF/DMARC, i. e. email servers that support this will no longer accept emails with forged TU Graz addresses or will only accept emails with TU Graz sender addresses if these emails were sent via the relay servers of TU Graz. If you still send emails with a TU address via an external server by mistake, you will receive a warning from mailgate@tugraz.at.

You Seem to be the Sender Yourself?

In waves it happens again and again that addresses of Graz University of Technology are misused as senders in spam emails. This is exactly what SPF/DMARC is for. If you receive complaints, please inform the complainants that their provider should use SPF/DMARC.

However, if the analysis of the header of the email shows that the email was indeed sent via one of the SMTP servers of Graz University of Technology, please contact ZID immediately, because this means that an account of Graz University of Technology (does not necessarily have to be your account) has been taken over.

top

Example of a Part of an Email Header

Example for a Fake Email

Received: from [some IP address] (helo=something.tugraz.at)
 by some host with smtp (some MTA)
…
Received: from some other server ([some other address]) 
 by some other host with …
Reply-To: <something@sonething.tugraz.at>
Date: …
Message-ID: <some (invalid) message ID>
From: <something@something.tugraz.at>
To: <your@mail.address>
…

Example for a Real Email from TU Graz

The lowesti Received: lines in the header should then look like the following examples.

Sent via Exchange

internal
Received: from MBX00n.tugraz.local (129.27.x.y) by MBX00n.tugraz.local
 (129.27.x.y) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.1.1466.3 via Mailbox
 Transport; Mon, 7 Jan 2019 09:13:37 +0100
Received: from MBX00n.tugraz.local (129.27.x.y) by MBX00n.tugraz.local
 (129.27.48.76) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.1.1466.3; Mon, 7 Jan 2019
 09:13:36 +0100
Received: from MBX00n.tugraz.local ([fe80::2861:8e5:5ef1:50a0]) by
 MBX00n.tugraz.local ([fe80::2861:8e5:5ef1:50a0%3]) with mapi id
 15.01.1466.003; Mon, 7 Jan 2019 09:13:36 +0100

external
Received: from exchange.tugraz.at (exchangelg.tugraz.at [129.27.2.220])
	by mailrelay.tugraz.at (Postfix) with ESMTPS id 43Yq2G5T7lz3wGN
	for <Ihre Adresse>; Tue,  8 Jan 2019 11:56:38 +0100 (CET)
…
Received: from MBX00n.tugraz.local (129.27.x.y) by MBX00n.tugraz.local
 (129.27.48.76) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.1.1466.3; Tue, 8 Jan 2019
 11:56:38 +0100
Received: from MBX00n.tugraz.local ([fe80::a006:9678:a370:a44b]) by
 MBX00n.tugraz.local ([fe80::a006:9678:a370:a44b%2]) with mapi id
 15.01.1466.003; Tue, 8 Jan 2019 11:56:38 +0100

Sent via our SMTP Server

Received: from wo.auch.immer (wo.auch.immer [a.b.c.d])
	by mailrelay.tugraz.at (Postfix) with ESMTPSA id 43YpF30Lpjz1DDZ1
	for <Ihre Adresse>; Tue,  8 Jan 2019 11:20:54 +0100 (CET)

Sent via some Server at TU Graz

Received: from server.tugraz.at (server.tugraz.at [129.27.x.y])
	by mrelay.tugraz.at (Postfix) with ESMTPSA id 43Y78w4wTKz2XXls
	for <Ihre Adresse>; Mon,  7 Jan 2019 09:00:00 +0100 (CET)
…
Received: by server.tugraz.at (irgendein MTA, from userid nnn)
	id 5B1F0AA2216; Mon,  7 Jan 2019 09:00:00 +0100 (CET)

top

Examine the Header of the Fake Email More Closely

  • The From: (and eventual Return-path:) lines can be forged with almost any email client, as long as DKIM (RFC 4871) or SPF etc. or digital email signature is not widely used, so do not trust any unsigned email!
  • In the first Received: line you see that the name "something.tugraz.at" was set with the helo command, this is only necessary if the name was forged. But even if you don't see helo - please check the IP address.
    The IP range of TU Graz ("TUGnet") is 129.27.*.
  • The last Received: line in the header (i. e. before the content, which of course can also contain Received: as text!) shows you (if it is not also faked, but this is relatively difficult) where the email actually comes from - you should contact the postmaster or the Abuse Team of this system and spare us with it, because there is nothing we can do about it!

top