Computing Services Addresses Recent Email Abuse

On Friday April 5, 2002, unsolicited mail was sent to some number of students, faculty and staff at Carnegie Mellon. The message, with a subject of "To the wonderful people of Carnegie Mellon University" appears to have been sent from a person named "Nathan Damianos" was also sent to faculty, staff and students at the University of Pittsburgh.

The message to Carnegie Mellon users stated that email addresses were retrieved from the online directory at http://www.cmu.edu/directory. Messages sent to the University of Pittsburgh cited their directory as the source.

Please do not send mail or call the Help Center regarding this incident. Doing so will only hinder our efforts to address this issue, as well as other computing questions and problems. We are fully aware of the issue and details of our actions to address it are outlined below.

We have verified that the sender did, in fact, harvest email addresses from the Carnegie Mellon Directory and we have taken the following steps to address this issue:

1. We will notify the sender's Internet Service Provider (ISP) to inform them of the activity. If mass-mailing is prohibited by the ISP's acceptable use policy, the sender's account may be suspended.
   
   
2. We have temporarily removed email addresses and phone numbers from the multiple search results lists in the online directory (in other words, the list of people that match your search criteria, like "bennett"). While email address and phone numbers are still available for individual listings, it is likely that people intending to collect this information from the directory would do so from the lists of users that match a particular search pattern.
   
   In fact, the person who harvested the directory conducted over 5,000 searches to harvest the directory. Removing email addresses from the multiple search results list would make it necessary for someone to conduct over 750,000 searches to generate the same list.
   
   
3. We have placed an "Acceptable Use" statement on all online directory web pages. This gives us some recourse in the event that we find someone has retrieved information from the directory for the purpose of sending unsolicited mail.

At this time, we do not have plans to remove email addresses from the directory entirely. Email addresses will still be available when a specific person is selected from the search results. The purpose is to allow colleagues and partners at other universities and corporations to contact us easily. To restrict access to the directory as a reaction to one unfortunate incident would adversely affect the many people who use the directory each day for legitimate reasons.

We are exploring other ways to reduce the chance of incidents like this occurring again. However, a solution that would stop this sort of activity, while allowing legitimate use by people outside the Carnegie Mellon community, is our primary goal.

The easiest way for people to collect email addresses for mailing lists is to crawl the web looking for HREF tags with the "mailto" attribute. If your email address appears on a web page as a clickable "mailto" link, it is a great deal more likely to generate junk mail than the online directory. The online directory cannot be browsed, and so specific queries need to be developed to find addresses. Also, we do not display email addresses in the directory as mailto links.