University of California, Riverside


User Best Practices

UCR Community

  • Email Attachments

    A popular use of e-mail is to distribute computer files (i.e., text files, documents, spreadsheets). This is accomplished by "attaching" a file to an e-mail message and then sending the file with the message, to a recipient. Virtually any kind of computer file can be attached to an e-mail message for transport.

    Unfortunately, this functionality creates an opportunity for distribution of malicious files (viruses, worms, and trojans). Older e-mail programs often opened files attached to messages automatically, as a convenience to the user. This caused infections without any user intervention. Newer e-mail programs don't normally open attachments automatically, so other methods have been employed to entice (convince) the recipient to open attachments manually. This is called "social engineering" , an attack designed to make you take an action (in this case, to click on the attachment). Attackers are constantly coming up with new social engineering tactics to trick users into starting (opening) malicious programs.

    Some recent social engineering tactics using e-mail are:

    • Customize the message text ("Dear John, ...")
    • Spoof (forge) the sender name so it appears to be from someone you know
    • Make the message personal
    • Make the message threatening
    • Make the message look official (phishing)
    • make the attachment look harmless

    A recommended best practice is NEVER to distribute an executable program as an e-mail attachment. An attachment that is executable is a program, rather than a text file or a document. It is something that "runs" when you click on it (start it). Methods other than e-mail are available to safely share programs with others (see "Options for Sharing Executable Programs", below).

    How do we know if an attachment is "executable"?

    File names are very important because that is how the computer knows what to do with the file. For example, documents are named with a three-letter extension of ".doc", which the computer knows to most likely use Microsoft Word.Other extensions, such as ".exe" tell the computer the file is a program that will run by itself when its clicked. There are many file types and program associations on every computer. If your computer doesn't know what to do with a file (it has no association), the computer will prompt you to select the correct program to open it.

    Protection from Malicious E-Mail

    To help secure the University's computers, the following protections are being implemented:

    1. All in-coming messages are scanned for known viruses, worms, trojans, etc. If malicious code is detected the entire message is discarded at the campus e-mail gateway. In addition, if a file attachment is encrypted, or if it is password protected, and therefore cannot be examined for malicious code, it will be discarded. (Examples are encrypted .zip files, and password protected office productivity files.)
    2. Any message that is not a known problem, but has a "dangerous" (executable) attachment, will have the attachment deleted before the message is delivered. Text will be inserted into the message stating the attachment has been removed.
    3. Any message that is not a known problem, which has an attachment that is not considered "dangerous" will be delivered intact. This includes messages with office productivity files (documents, spreadsheets, etc), text files, and other files attached that are not executable.

    Options for Sharing Executable Programs:

    • Place the file on a shared drive, such as your department "L:" drive space, and send the person its location.
    • Place it on a web server and send the person a link to its location (this is what software vendors do).
    • Rename the file so that it does not have a prohibited three-letter extension on its name, and then have the recipient rename the file back after they receive it. (For instance, rename "myprogram.exe" to "" and then attach and send it.)
  • Email "Spoofing"

    Email spoofing refers to email that appears to have originated from one source while actually being sent from another. Individuals who are sending "junk" email or "spam", typically want the email to appear to be from an email address that may not exist. This way the email cannot be easily traced back to the originator.

    All email users are vulnerable to spoofed or forged email. It is easy to spoof email because the fundamental email protocol, SMTP (Simple Mail Transfer Protocol), lacks authentication. If a site has configured the mail server to allow connections to the SMTP port, anyone can connect to the SMTP port of a site and (in accordance with that protocol) issue commands that will send email that appears to be from the address of the individual's choice; this can be valid email address or a fictitious address that is correctly formatted.

    Email spamming refers to the act of sending unsolicited commercial email. If you did not request it or sign up for it and the person sending it to you is attempting to make money, it is spam.

    How Do They Get My Email Address?

    The first source is typically the open display of email addresses. This can either by on web-based message boards, newsgroups, chat rooms. Simply posting a message on a board with your real email address is enough for the site-crawling programs (often called "spiders" or "spambots") to add you to countless spam lists.

    Another source are sites created specifically to attract email addresses. For example, a spammer creates a site that says, "Win $1 million!!! Just type your email address here!" In the past, many large sites also sold the email addresses of their members. Or the sites created "opt-in" email lists by asking, "Would you like to receive email newsletters from our partners?" If you answered yes, your address was then sold to a spammer.

    Probably the most common source of email addresses, however, is when a spammer simply queries an email server with hundreds of thousands of email addresses that vary only by one number or letter. The email server responds, telling them what email accounts are actually in use allowing the spammer to know what addresses are worth selling. As email addresses generally are not private (just like your phone number is not private if it is listed in the phone book), once a spammer gets a hold of your email address and starts sharing it with other spammers, you are likely to get a lot of spam.

    Legislation appears to be the method by which the US will be dealing with spam. The idea being that the U.S. government should set up a national "do not spam" list identical to the national "Do Not Call" list designed to block telemarketers. However, a common belief held by experts in the field is that spammers would merely set up spam servers in foreign countries and actually use the "do not spam" list as a source of fresh email addresses.

    Another solution often posited is an "opt-in" list. Under this proposal, only those people who specifically request spam email would get it. However, the United States congress seems to be heading in the opposite direction, supporting "opt-out" legislation which would leave millions of American computer users, unaware of the consequences, with evn more spam.

    The most effective tactic in the war on spam is the elimination of email in the traditional open sense. Many businesses, government organizations and other entities are being forced to take this approach. Even the White House has been opted to follow this path. Today, if you want to send email to the president of the United States, you do it by filling out an online form .

    Dealing With Spoofed Email

    There is really no way to prevent receiving a spoofed email. If you get a message that is outrageously insulting, asks for something highly confidential, or just plain doesn't make any sense, then you may want to find out if it is really from the person it says it's from. You can look at the Internet Headers information to see where the email actually originated. Remember that although your email address may have be in the From portion of the header, this does not mean that the spoofer has gained access to your mailbox.

    Displaying Internet Headers Information

    To determine the true sender of an email, it is often necessary to check the headers. An email collects information from each of the computers it passes through on the way to the recipient, and this what is stored in the headers:

    1. With the Outlook Inbox displayed, right-click on the message and click on the Options command to display the Message Options dialog box. Internet Headers are best read from the bottom up, as they are added to as the email passes through the system.
    2. Scroll to the bottom of the information in the Internet Headers box, then scroll slowly upwards to read the information about the email's origin. The most important information follows the ?Return-path:? and the ?Reply-to:? fields. If these are different, the email is not who it says it's from.
  • Email "Spamming"

    The State of California, USA has a definition that is nicely summarized by FindLaw in this article (PDF file):

    The statute defines "unsolicited e-mail documents" as "any e-mailed document or documents consisting of advertising material for the lease, sale, rental, gift offer, or other disposition of any realty, goods, services, or extension of credit" when the documents (a) are addressed to recipients who do not have existing business or personal relationships with the initiator and (b) were not sent at the request of or with the consent of the recipient. (?17538.4, subd. (e).) "

    found on page

    Some examples of spam are:

    • Chain letters
    • Pyramid schemes, including multilevel marketing (MLM)
    • Other "Get Rich Quick" or "Make Money Fast" (MMF) schemes
    • Foreign bank scams or advance fee fraud schemes (A frequent example of this is what is termed as the Nigerian 419 scam.)
    • Offers of phone sex lines and ads for pornographic Web sites
    • Offers of software for collecting e-mail addresses and sending UCE
    • Offers of bulk e-mailing services for sending UCE
    • Quack health products and remedies
    • Illegally pirated software ("Warez")

    Unlike junk paper mail, e-mail spam costs the sender very little to send; almost all of the costs are paid by the recipient and the carriers, because the spammer does not have to pay for all the Internet bandwidth tied up in the delivery of the spam. Because they have no incentive to be efficient in their mass e-mailing, spammers usually don't put much effort into verifying e-mail addresses. They "harvest" e-mail address from a number of freely available sources on the internet:

    (Adapted from the Indiana University Knowledge Base on Spam)

    • From your posts to UseNet with your email address.
    • From mailing lists.
    • From your web pages.
    • From various web and paper forms.
    • Via an Ident daemon.
    • From your web browser.
    • From IRC and chat rooms.
    • From finger daemons.
    • AOL profiles.
    • From domain contact points.
    • By guessing.
    • From internet white & yellow pages.
    • By having access to the same computer.
    • From a previous owner of the email address.
    • By using social engineering.
    • Buying lists from others.
    • By hacking into sites.
    • By going to and searching

    (List adapted from )

    Stopping Spam - General Tips & Tricks

    Spam has increasingly become a problem on the Internet, and unfortunately, there are currently no federal and few state laws or regulations to control it, as there are now for telemarketing. Also, there is currently no single definitive technical solution that will stop most spam while still allowing legitimate e-mail through. It is a very frustrating situation for users as well as for technical support personnel. It is a basic fact of Internet life that if you use the Internet, you will get unsolicited e-mail. Every time you communicate on the Internet or browse a Web site, there are opportunities for spammers to intercept your communications to obtain your e-mail address. However, here are some steps you can take to make it more difficult for spammers:

    • Think carefully before you post to an online newsgroup.
    • Subscribe only to essential discussion lists, and ensure that they are moderated.
    • If you are thinking of filling out a form on a Web site, check the site's privacy policy first to be sure it uses secure technology and the company does not share your e-mail address with others. If the site doesn't have a privacy policy that describes this to your satisfaction, consider not using that service.
    • DO NOT REPLY TO ANY SPAM YOU RECIEVE. If you do reply to spam, the spammer or the automated program on the other end will then know that your address is connected to a live person, and the spammer will then bombard you with even more spam, and circulate your address to other spammers.
    • Setting up your e-mail account to generate automatic responses while you are away can have the unfortunate side-effect of verifying your e-mail address to every spammer that sends you spam while you are out of the office.
    • Every time you are asked for your e-mail address verbally or on paper (for example, when purchasing an item over the phone, registering to join a club, or filling out a warranty form), think carefully about whether or not you want to receive any information from the company or organization. In general, it is best to decline to provide your e-mail address. Such a choice is referred to as "opting-in", because you are explicitly choosing whether to participate.
    • If you post to newsgroups or bulletin boards, spend time in chat rooms or an online service that displays your address, or post to unmoderated LISTSERV or discussion lists, you may wish to consider opening an e-mail account on a free service and using that address when doing these potentially spam-inducing activities. Then your university account would not be as affected by spam.
    • If you have your e-mail address listed on a Web page, you should also consider opening a free account.
    • If you must list e-mail addresses on your Web site, another option is to present the addresses in a way that makes them less vulnerable to collection and abuse by spammers.
    • You might consider using the custom filtering features that most e-mail programs provide.
    • Adjust the security settings in your Web browser. For a higher level of security, have your browser disallow: accepting cookies, listing your name and other personal information in your browser profile, and filling in form fields for you. This will help reduce the amount of personal information transmitted to sites. The tradeoff is that you won't be able to surf the Web as easily, since many sites require you to accept cookies.
    • Do not contribute to the spam problem by producing any of it yourself! In particular, educate yourself about chain mail and do not forward chain mail to others. Also, if you receive an e-mail message that appears to warn of some horrible thing happening (a virus that reportedly deletes all your files, for example) or is a touching sob story (about helping to save a poor sick girl or boy, for example), be suspicious. Nearly every instance of such e-mail is a hoax. The message may even come from someone you know and respect, but that person is probably not aware that it's a hoax and may have forwarded it believing it is real. Educate yourself about hoaxes and the sites available to verify hoaxes. Do not forward hoax messages to others.

    (Adapted from the Indiana University Knowledge Base on What can I do to avoid receiving spam e-mail?)

    What should I do when I get spam e-mail?

    • You can simply delete the message and forget about it. If you are only receiving a negligible amount of spam, this is an acceptable solution; however, deleting spam can become a burden when it reaches such a rate that you must spend a significant part of your work day dealing with it. This is the method recommended by your UGA Abuse Team.
    • You can configure filters in your e-mail software to automatically delete the next message from the same source. This is useful when one particular spammer is annoying you. But be aware that spammers generally use free accounts from Internet service providers (ISPs) like AOL, Yahoo!, and Hotmail, which they use to send spam and then abandon, moving on to another account. If they don't voluntarily move on to a new account, they are forced to as complaints come in immediately to the ISP, and a reputable ISP then cancels the account immediately. Thus, a spammer's e-mail address may change quite often, which makes filtering on an address difficult, unless you are able to filter out the whole ISP. You may not be able to do this if you receive e-mail from others who use that ISP legitimately.
    • You can report it to the correct authorities. Be aware, however, that the authorities may not be able to locate and stop the spammer, or they may be able only to locate and stop the spammer's use of that particular e-mail account. Also, the spammer will likely move on to a new account and start over again. But constant complaints to their ISPs are really the only negative consequences to sending unsolicited mass mailings that spammers have to deal with, so if you would like to add your voice to the protest, follow the appropriate directions below.

    Reporting Spam

    When reporting spam, you must include the full headers of the spam you received, because all the regular header fields can be forged.

    You should report spam to different authorities depending on the type. In all cases you will need to provide full headers from the e-mail to the reporting authority. provides an excellent site for explaining to retrieve full headers from many common e-mail clients: Nigerian bank scams or advance fee fraud schemes

    These messages usually state that a reputable foreign company or individual is needed for the deposit of an overpayment on a procurement contract. In variations of this scheme, the son or daughter of a murdered official may plead for your assistance in depositing an inheritance in a US bank. Report these directly to the US Secret Service. To do so, forward the message with full headers to . For more information on advance fee fraud, see:

    Pyramid, Ponzi, or multilevel marketing schemes

    These are the messages that often tell you that you can make $30,000 in 30 days. All three schemes are similar in that they are based on the idea that you can receive money by investing money or getting other people to join. Report these types of messages directly to the Federal Trade Commission (FTC). To do so, forward the message with full headers to .

    Harrassing or Threatening E-mail

    Sometimes you may have difficulty determining if a message is spam or if it's targeted directly at you. If you receive e-mail that harrasses or threatens you please call Campus Police at immediately.

    All other types of spam

    If you wish to pursue action on any other spam you have received, you can send a complaint to the ISP from which the spam originated. More than likely, many others have also complained. If the spammer did not abandon the account immediately after the unsolicited mailing, the flurry of complaints will probably cause a cancellation of the account.

    Be sure you're sending it to the proper ISP; often, the message headers will be forged so the message appears to come from somewhere other than its true origin. Reading and understanding full headers to determine the original ISP can be quite complicated. There are several resources available on the Web if you are interested in becoming more knowledgeable in this area, for example:

    (Adapted from the Indiana University Knowledge Base on What should I do when I get spam e-mail?)

  • Email "Phishing"

    Phishing is an email trick. You receive an email that seems to be from a legitimate business or organization, or pretends to provide very useful information; however, it turns out that the sender is only trying to trick you into giving personal information (like a credit card number or social security number). The email will try to appear as official as possible by using actual logos and addresses of legitimate businesses.

    What can you do about it?

    1. Delete the suspect email.
    2. Resist the urge to reply with any personal information.
    3. Never click on any links in the suspicious email.
  • Information Security in the Workplace

    Information security controls are not effective unless they're combined with users who know their responsibility to protect information privacy and confidentiality, take the recommended precautions seriously, and don't attempt to "get around " the rules of good security practices.  Here are some examples of good and bad practices:

    Accounts and Passwords

    DoDo Not
    Choose a password that can't be guessed - e.g., an acronym for a simple phrase with numbers randomly inserted works well Let anyone else login with your account and password
    Change your password 2-4 times per year Share your password with anyone (NEVER give out your password over the phone, not even to the Help Desk!)
    Logoff when you leave for the day Write your password down & stick it under your keyboard or mouse-pad, on your monitor, or in your pencil drawer
    Use desktop locking during the day, e.g., a screen saver with password, or a lock workstation function.  See Best Practices web page (url below) for instructions. "Save this Password " in your browser  (Anyone with access to your workstation could impersonate you.)
    Change your password if you think someone may have learned (seen, heard) it Look up sensitive information for others who are not authorized

    E-Mail Security

    DoDo Not
    Install and use anti-virus software, and keep it updated (daily or weekly) Open (click on) attachments or links sent to you from unknown sources
    Make sure the text of a note references the attachment and its purpose before opening it, and you know or have verified the sender Keep old e-mail messages forever
    Consider e-mail a "postcard " - it is NOT private unless encrypted (scrambled) Send ids & passwords or other sensitive data in an email message
    Report obscene e-mail messages, and any messages that ask you for personal information Send harassing, threatening, abusive, insulting or offensive messages
    Delete all unsolicited advertising e-mail without replying to it.  (Instructions to "remove you " will often backfire!)

    Send personal information, e.g., your name, account numbers, address, phone, or pictures of yourself to anyone you do not know personally


    Physical Security

    DoDo Not
    Question or report strangers in your area to your supervisor or to building security (...Can I help you?) Leave confidential documents out on your desk, or on a shared printer
    Lock your workstation, keyboard when you leave work for the day Store backups in an unlocked place
    Make backup copies of important documents and files on your workstation Let others borrow your keys or University ID card to get into a secured area, or follow you into a secured area without ID

    Handling Sensitive Information

    DoDo Not
    Share files with authorized personnel only Gossip or share with others sensitive information you have access to
    Obtain permission for secondary use of data (Uses other than originally approved) Look up confidential information for co-workers who do not have the access without supervisor approval
    Remove all confidential or sensitive data from your workstation before it leaves your control (To go to surplus or as a dept hand-me-down) Store your confidential files on public or unsecured network file servers
    Protect saved or printed reports that represent sensitive or confidential data Throw confidential reports in the trash without shredding them first

    Copyright, Fair Use and Piracy

    DoDo Not
    Use excerpts with appropriate attribution ( "fair use ") Use your co-worker's computer disks to install software programs unless you have a license
    Install and use the software licensed for everyone at the University ( "site-licensed ") Copy or share "free " music or video files that you would reasonably expect to pay for (e.g., feature films, music CD's, e-books)
    Install and use software purchased by your department for your use Copy software to take home with you
  • Social Security Number Don'ts

    Social Security Number Don'ts

    To prevent identification theft, be sure to follow the following suggestions.

    1. Don't write down or give out your SSN to anyone, without first checking to see if it is absolutely nessary
    2. Don't carry your Social Security card with you
    3. Don't have your SSN (or telephone number) printed on your checks
    4. Don't use your SSN on your driver's license (ask your state for another number instead)
    5. Don't give your SSN to anyone online, whether you know them or not
    6. Don't e-mail your SSN to anyone
    7. Don't store your SSN on your computer
    8. Don't apply for credit online that asks for your SSN
    9. Don't use your SSN as a password
  • Useful Links for Protection Against Malware

    Use the following links to further your knowledge of Malware, Spam and other items:


    New vulnerabilities and threats are reported every day. The hard part is not reporting them, but figuring out which ones matter and what to do about them. These alerts tell you what you need to know:

    Discussion Lists

    Non-University Related Virus E-Mail Lists:

    Hoaxes, Urban Legends, Etc.


    • About.Com: Antivirus Software - Everything antivirus, from your guide. Vendor and virus information, history and future of computer viruses.
    • CERT® Coordination Center - The CERT® Coordination Center (CERT/CC) is a center of Internet security expertise, at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University . We study Internet security vulnerabilities, handle computer security incidents, publish security alerts, research long-term changes in networked systems, and develop information and training to help you improve security at your site.
    • F-Secure Computer Security Information Center - This service is provided by the F-Secure Anti-Virus Support Team. The database is updated several times a week.
    • F-Secure Virus: Descriptions of Viruses in the Wild - This is a cooperative listing of viruses reported as being in the wild by 64 virus information professionals.
    • - This web site was created to help people understand today's computer viruses and assist them in cleaning their own systems. Questions are answered using a Q & A format with straightforward terminology.
    • Network Associates Virus Information Library - More than 50,000 viruses exist today. Network Associates Virus Library has detailed information on where viruses come from, how they infect your system, and how to remove them.
    • Symantec Antivirus Research Center - SARC is committed to providing swift, global responses to computer virus threats, proactively researching and developing technologies that eliminate such threats and educating the public on safe computing practices.
    • Virus Bulletin - Virus Bulletin is the technical journal on developments in the field of computer viruses and anti-virus products.
    • Trend Micro's Virus Primer

    Online Scanning

    • Panda Software Center for Virus Control:  Active Scan - Panda ActiveScan is FREE and works through your Internet browser. Scan your system for viruses anytime on demand. And Panda ActiveScan is automatically updated each day with the latest virus definitions.
    • Symantec Security Check - Symantec Security Check is a free service designed to help you understand your computer's exposure to online security intrusions and virus threats.
    • Trend Micro's HouseCall - HouseCall can only detect viruses already on your system at the time of your visit. It offers a quick and easy check-up. HouseCall requires Internet Explorer (version 4.0 or later) or Netscape (version 3.01 or later).


    • EICAR Online - Eicar combines universities, industry and media plus technical, security and legal experts from civil and military government and law enforcement as well as privacy protection organisations whose objectives are to unite efforts against writing and proliferation of malicious code like computer viruses or Trojan Horses, and, against computer crime, fraud and the misuse of computers or networks, inclusive malicious exploitation of personnel data, based on a code of conduct.
    • The WildList Organization International - The mission of the Wildlist Organization is to provide accurate, timely and comprehensive information about "In the Wild" computer viruses to both users and product developers.

    Other University Virus Information Sites

    Search for Virus Information

    Software Updates & Patches

    Microsoft Windows
    • Microsoft Windows Update - Windows Update is a catalog of fixes, updates, and enhancements to Windows and many programs that work with Windows.
    • Microsoft Office Product Updates - Find the latest Office product updates for this computer.
    • Microsoft Baseline Security Advisor - MBSA runs on Windows 2000 and Windows XP systems and will scan for missing hotfixes and vulnerabilities in the following products: Windows NT 4.0, Windows 2000, Windows XP, Internet Information Server (IIS) 4.0 and 5.0, SQL Server 7.0 and 2000, Internet Explorer (IE) 5.01 and later, and Office 2000 and 2002.
    • Microsoft Security - The Microsoft Security site has a wide range of security content, prominent links to security information across, and pointers to the latest automated updating tools.
    Apple Macintosh

    Tips and How-Tos

    • About.Com: Tips for Safer Computing
    • F-Secure: Instructions to make your computer immune to VBS script attacks. - This pages gives instructions on how to either remove Windows Scripting Host from your machine or to disassociate *.vbs files from Windows Scripting Host.
    • How to Stay Virus, Worm and Trojan Free - Without Anti-Virus Software - There's no doubt that anti-virus software is here to stay but there are many things that can be done to prevent or reduce the risk of virus infection and the subsequent effects of such an infection. There are a host of working procedures and policies and some software alternatives that have the potential to greatly reduce your risk levels.
    • Trend Micro's Safe Computing Guide - To reduce the risk of virus infections, and of inadvertently triggering or spreading them to other people, Trend Micro would like to share some easily implemented "safe computing" practices. Put these into effect on your machine today and they will help keep you using today's advanced computer information access technology without falling prey to viruses and other malicious code!

    Tools & Utilities

    Virus Calendars

    • AVERT Research Center - Virus Calendar - The viruses shown below can infect a system 365 days a year. But on the payload dates designated on this calendar, the viruses may do more than just infect you. While these payloads may just be a nuisance, some may severely damage your system.

    Virus Glossary


  • 10 Steps to Protect Yourself from Identity Theft

    The following 10 Steps will help you protect yourself from identity theft

    1. Cancel unused credit cards (cutting them up is not enough).
    2. Don't carry your Social Security card, passport, or birth certificate with you, except when necessary.
    3. Shred all credit card receipts and solicitations, canceled checks and financial documents before throwing away.
    4. Check your credit card statements and immediately report unauthorized purchases.
    5. Don't give out your Social Security number, mother's maiden name, or any account information over the phone, unless you are sure the caller is legitimate. Adopt a "need to know" approach to your personal data.
    6. Order credit reports once a year from one of the credit-reporting agencies: Equifax 800-525-6285; Experian 800-301-7195; Trans Union 800-680-7289. Report any accounts you did not apply for.
    7. Have your name removed from lists sold to companies offering pre-approved credit cards by calling one of the credit agencies above.
    8. Never include your Social Security number on personal checks and only release your Social Security number when absolutely necessary. If a business requests it for identification, ask to have an alternative number used.
    9. Never write down PINs and passwords: memorize them. Do not use any part of your Social Security number, your name or any easy to guess words or sequences.
    10. Install a locked mailbox at your residence.

More Information 

General Campus Information

University of California, Riverside
900 University Ave.
Riverside, CA 92521
Tel: (951) 827-1012

Department Information

Computing & Communications
Computing & Communications Bldg.

Tel: (951) 827-4741
Fax: (951) 827-4541