Brock University’s Anti-spam Filter System
In order to provide improved e-mail service to Brock University’s e-mail users, Information Technology Services has upgraded the anti-spam filter software and the physical servers on which it runs. This upgrade should be transparent to most users, with the exception of the identification of more spam than the previous system was capable of doing. Some of the enhancements to the system are:
- Updated the anti-spam software packages to the latest versions. The new software can be a bit more aggressive than the old ones, so all users with a personal spam score that is less than 5 (the default value) will find that their spam score has been reset to 5. This has been done to prevent e-mail that is probably legitimate from being marked or blocked as spam. You can re-adjust you spam score to suit your needs.
- Added an automatically updated list of known spam source addresses to the spam filter rule set. This list will help to limit the amount of spam that is passed through the anti-spam filter by identifying messages from known spam sources and increasing the spam score of these messages accordingly.
- Updated Brock University’s custom spam filter rules and fixed known issues with them.
- Updated the personal spam settings facility to fix known issues with the whitelist and blacklist features. The capacity of both lists has been significantly extended. The personal blacklist no longer supports wildcard (*) characters, every entry in this list must be a complete e-mail address. Personal blacklist entries that contained wildcard characters have been removed. This was done for 2 reasons; it allows the whitelist and blacklist to be used together to create a personal configuration that whitelists all senders in a specified domain except those in the blacklist, and prevents the inadvertent loss of message due to the use of wildcards in the blacklist.
- Updated the virus scanner software to the latest version
What is E-mail Spam?
E-mail spam can be broadly defined as any e-mail that is sent to one or more recipients that is unsolicited and unwanted by the recipient or recipients. Spam e-mails can take many forms many of which are indistinguishable from legitimate messages by automatic means. Spam messages include:
- Messages asking the user to provide personal information such as computer account information, bank account information, or other forms of personal information. These messages often appear to come from sources such as the recipient’s bank or employer. No bank or employer should ever ask for such information via e-mail. Brock University will NEVER ask for this type of information by e-mail. This type of message is commonly referred to as ‘phishing’.
- Web phishing is an extension of the phishing e-mails described above. Rather than asking the recipient to reply to the e-mail with personal information, the message asks the recipient to go to a web site to provide the information. Sometimes the web site, intentionally configured to look like a site that is familiar to the recipient, asks the use to log into the site, thus capturing the recipient’s information without them realizing it.
- Messages with known virus programs either embedded in the message itself or as attached files.
- Unsolicited advertising messages.
- Unsolicited messages with content that is offensive to the recipient.
Brock University’s Anti-Spam System
Brock University uses a multi-level anti-spam system to limit the amount of spam that its users receive. No anti-spam system can completely eliminate spam e-mail for two reasons: it is often impossible to automatically distinguish between legitimate and spam e-mail, and the tactics used by the creators of spam messages are constantly changing in an attempt to circumvent spam filter programs.
Spam filtering at Brock is performed using an multi-level approach. At each level different methods are used to identify spam, only permitting messages that do not appear to be spam at that level to proceed to the next level. The filter levels used by Brock University are:
- Real Time Blacklist – The server used to route every e-mail message coming to Brock University is checked against an automatically updated list of know spam source servers. Any message routed through such a server is rejected by Brock University’s spam filter. When a server, attempting to send a message to one of Brock University’s e-mail users, is rejected by the Real Time Blacklist checking process, the sending server is sent a status code telling it that the message cannot be accepted along with a text message for the message sender referring the sender to the blacklist provider’s web site. If the sending server is properly configured, the sender of the original message will receive an e-mail, containing the text of the original message along with the reason why it was not delivered, including the text provided by Brock University’s server. Any server that is identified by the Real Time Blacklist cheer is prevented from connecting to the same Brock University server for a period to time to reduce the impact of spam attacks (sending large volumes of spam e-mail very quickly) from that server.
- Greylisting – Every e-mail arriving at Brock University from off campus is then subject to greylisting, a technique for reducing the amount of spam being accepted as legitimate e-mail by attempting to ensure that the server sending the e-mail to the Brock University spam filter is properly configured. As each message is being received, it is checked against a database to see if each recipient of the message has received a message from the sender via the same server recently, if this is the case, then the message is passed on to the next layer of spam filtering. If no such message has been received by all of the recipients recently, then the sending server is asked to ‘try again later’ using a standard e-mail protocol signal and a record is made of the current attempt. If the sending server observers standard procedures, it will try sending the message again after a reasonable time interval and the message will be passed on to the next level of filtering. If the sending server does not operate in this manner, which is common for spam sources, then the message is never passed on for further processing.
- Virus scanning - Every e-mail passing through the spam filter is checked for viruses using an automatically updated virus scanner. If a virus is found, the message is discarded without any notification being sent to either the sender or the recipient, however, the fact that the message has been discarded is logged along with information about the type of virus found.
- Message content filtering – Every e-mail originating from outside the Brock University network is checked using content filtering rules. These rules look at the actual content of the message (including the "from" and "to" addresses, the subject line and other message headers) for indications that the message is spam. This filtering includes:
- Personal whitelist – Each Brock University e-mail user can specify a list of e-mail addresses from which they always want to receive messages. If an entry is found in a user’s personal whitelist that matches the sender’s address in a message that message is passed on without further checking. Note that the message must have passed all of the previously listed checks before it will reach this check. See ‘Using E-mail Anti-Spam settings’ below for information on how to use this feature.
- Personal blacklist – Each Brock University e-mail user can specify non-Brock university e-mail addresses from which they do not which to receive e-mail. Please note that if an e-mail address is covered by both a personal whitelist and blacklist entry, the blacklist entry will take precedence. When a message I sender matches an entry in an e-mail user’s personal blacklist, the message is rejected with the appropriate status code and the text message ‘Blacklisted’ send to the sending server. The sending server should then send a message back to the original message sender with this status code and message along with the original message in its entirety. See ‘Using E-mail Anti-spam settings’ below for information on how to use this feature.
- Standard system filter rules – This is a list of spam filter rules provided by the spam filter software developers. These rules identify most of the common spam content. These rules are automatically updated. Two types of standard system rules are used; static (fixed definition) rules check for well-known and readily identifiable spam characteristics, while dynamic rules (known as Bayesian rules) check for recurring, high volume patterns in message in real time. This second type of rule helps to reduce the impact of new types of spam as it is being received.
- Known Spam Sources – Organizations around the world keep lists of the e-mail addresses of the ‘from’ addresses of spam. The Brock University spam filter includes one of these lists which is updated automatically.
- Custom spam filter rules – Brock University maintains a set of custom spam filter rules based on the spam received by Brock University e-mail users and reported to Information Technology Services. This set of rules is constantly being updated and extended.
- As a message is checked using the standard spam filter rules, custom spam filter rules and the known spam source list, as numeric score is computed. The probability that a message is spam increases as the computed score increases. Each e-mail user at Brock University has a required score value (default value is 5). If the computed score for a message becomes equal to or greater than the user’s required score, the message is treated as spam. Each e-mail user can specify what action the spam filter is to take once a message is considered to be spam (i.e. the computed score is at least as great as the user’s required score). See the ‘Using Personal Spam Settings’ section for information changing the default required score, spam action and subject line tab settings. These actions are:
- Do nothing – The message is delivered to the user without any indication to the user that it is probably spam. The spam information is logged on the mail server and is included in the message headers that the user can view if desired (how this is done depends upon the e-mail client software used).
- Mark message as spam – When a message is identified as probable spam, the message is delivered to the user with the subject line modified to indicate this. This is the default action for the spam filter and the default subject line text is ‘*****SPAM******’.
- Block – Any message for an e-mail user that is identified as probable spam is not delivered to the user. A message is sent back to the sender by the Brock University spam filter indicating that it was blocked by choice of the Brock University e-mail user to whom it was addressed.