University email systems fooled by fake emails to students

ALL STUDENTS have been sent a series of fake emails purporting to be from the Union’s Communications Manager.

The emails, which were sent to the Students’ Union mailing list, pretend to be from [email protected] – the address of the Communications Manager.

But they were actually sent from a website that allows a person to “spoof” an email address – so they can send an email from an address they do not control.

Emails can only be sent to the SU mailing list by a handful of authorised users – but by pretending to be one of those users, anyone can access the list.

The University’s servers are supposed to check that the email does actually come from an authorised user, but they only do this by checking the “from” address – even though this is very easy to fake.

The full header on the emails show that they was sent from a private website that allows emails to be sent with false “from” addresses, and that the University’s servers failed to notice that the website was outside the University’s domain, aber.ac.uk.

There is no indication that any email accounts or servers were hacked in the process, or that any personal data was put at risk at any time.

The first email read:

DON’T STUDY!
VOTE NOW!
LIKE THE FACEBOOK!
GET DRUNK!

OORAH IF YOU LIKE WASTING MONEY AND DISGRACEFUL STAFFING.

Another email read “Let’s all get smashed tonight and end up on Aberystwyth Confessions!”, and included a motivational-style image of two women in underwear.

The last email contained what appeared to be an apology:

SORRY GUISE

DID NOT EXPECT IT TO WORK

THOUGHT AT 9K A YEAR THEY WOULD GIVE US RELIABLE EMAIL

WELL THIS IS WHAT YOU GET WHEN YOUR UNIVERSITY IS MORE CONCERNED WITH STUDENT
‘SATISFACTION’ AKA DRUNKENNESS THAN ACTUALLY CREATING GOOD GRADUATES