On Sept. 3 and 4, Cornellians found their messages to AOL and some other systems failing to arrive. Someone had sent about 330,000 spam messages using a Cornell e-mail account, which caused several ISPs to block or slow down e-mail from Cornell. AOL addresses were blocked until the following morning.

Then, at the end of September, large volumes of spam were sent from 17 Cornell e-mail accounts, forcing Cornell Information Technologies (CIT) to change the passwords for those NetIDs.

We hear a lot about compromised PCs used to send out spam and viruses. But in this case the problem was not hacked computers but stolen NetID and password combinations. "Compromised NetIDs are a bigger spam problem than compromised computers," said Tom Young, interim director of CIT's IT Security Office.

Spammers can use your NetID and password to send mail, either by connecting directly to a Cornell e-mail server or using Webmail, so they are able to hijack Cornell servers to do their dirty work. Malicious individuals can also use stolen NetIDs and passwords to log into or disrupt other services, including some that hold sensitive information.

NetIDs and passwords are commonly stolen through "phishing" e-mail scams. An official-looking e-mail says your e-mail account is over quota or needs to be re-registered by clicking on a link in the message. The message is in HTML format, which means that what you see on the screen is not the actual text. A link that looks like http://citmail.cornell.edu may actually go to http://someplace.else.co.za. (The .za in this example means the site is in South Africa, probably on a compromised computer; the scammers may actually be in St. Louis.) The link takes you to what looks like a real Cornell Web page where you are asked to log in with your NetID and password. The 17 people whose accounts were appropriated at the end of September were fooled by a perfect replica of the standard Cornell CUWebLogin dialog.

A disproportionate number of people who fall for phishing scams are located off-campus, including Cornell Cooperative Extension agents, retirees and emeritus faculty. These people are often more susceptible because they don't have someone they can easily turn to and ask whether an e-mail message purporting to be from Cornell is legitimate, so they play it safe and answer the message. "These schemes play on people's fears," noted Young.

Many phishing messages contain misspelled words or look like they were written by someone just learning English, but some scammers are more sophisticated. One message announced quite convincingly that users needed to "validate" their accounts to help combat spam.

"CIT is looking into better approaches to blocking phishes and to protecting our e-mail system from the impact of a stolen NetID," said Young.

Meanwhile, CIT faces a Catch-22. They can stop the spam by changing the password for the stolen account, but then they can't notify the user by e-mail.

"We hate the inconvenience we cause when we change someone's password," Young explained, "but we're caught between a rock and hard place. We have to protect the integrity of university operations, even if it means disrupting an individual's ability to access the campus services that require a NetID."

In addition to scams directed at Cornellians, you should still expect to get phishing messages purporting to be from PayPal, your bank, your credit card company, maybe even the federal government. Don't trust any such message.

For more on the most recent Cornell NetID scam go to http://www.cit.cornell.edu/news/article.cfm?id=117765. For more information about NetID theft go to http://www.cit.cornell.edu/security/identity/netidtheft/index.cfm.