* General Information * How the spam system works *
Sample quarantine notification message * Sample
quarantine list * Whitelisting
* Capabilities * * Filtering of e-mail with
certain extensions * Virus Filter *
GENERAL INFORMATION
CIT uses both spam and virus filtering products to filter e-mail before it reaches users' inboxes.
These filters are quite necessary for the security and safety of the network. Spam and e-mail messages containing viruses and worms come in to the mail server at an alarming rate. Prior to establishing filters, it had become difficult to process all the incoming mail, due to the volume of mail coming in, and nearly impossible to complete a full backup of the system (done routinely to allow for data restore, should difficulties arise). In addition, people increasingly complained about the magnitude of unwanted e-mail entering their inboxes.
Now, e-mail is filtered. On a typical day, we routinely receive 800,000 to 1,000,000 messages coming in to the campus. The spam filter identifies messages coming from known spammers and rejects them, and identifies some messages as known spam and removes them. The system then identifies messages as suspected spam and quarantines them and sends notices to users' quarantine reports. The remainder of the messages are processed through the virus filter, then sent through to users' inboxes. Of the total amount of e-mail received, only 1 in 10, on average, is actual mail for users.
CIT does not allow anyone to opt out of the spam-filtering service. Spam and virus-laden e-mail messages, once on campus, can spread quickly and create problems for the entire network.
SPAM FILTER : The spam filtering product filters e-mail messages before
they hit the client's inbox. Here's how the filter works:
- The filter determines,
using quantitative degrees of assuredness, the likelihood that a particular
e-mail message is actually a spam message. These figures are based
on significant data from past experience. Thus, for example, a message
that contains the word "viagra" in the body of the message
shows up with a very high percentage of being spam mail.
- Based on the
assuredness level at which a message can be determined to be spam,
certain actions will automatically occur (listed below). Some messages
will be "quarantined" and the user will receive a message
telling them that they have messages that have been quarantined. The
user can then select which of these messages to release, delete, or whitelist (so, in the future, they come directly to the inbox without being quarantined).
- Based on the
levels we've established, these are the actions that will
occur for spam mail:
1) Messages
known to be spam with 100% assuredness will be dropped and deleted
from the mail system.
2) All
other messages suspected of being spam will be listed in a notification
message to the user, for the user to Release, Delete, or Whitelist.
The
User Quarantine Release Notification message shows multiple links at the bottom of the message.
The first link takes the user to a web page that lists all
spam messages that user has received which have yet to be
acted upon (Released, Deleted, or Whitelisted). The subsequent
links show the individual spam messages received since the
last User Quarantine Release Notification message was sent
to the user.
The user
can click on the first link (or copy and paste into a web browser)
to see all his/her quarantined messages. The user can then check
the applicable box on the right-hand side of the web page to
Release, Delete, or Whitelist (i.e., allow all future messages
from this sender to go directly to the user's inbox without
being quarantined). Note: To whitelist and receive a particular message, it must be BOTH whitelisted and released.
Alternatively, the user can just click on the number link to have individual messages released.
The user can click on the long link in his/her last Quarantine Report message at any time to retrieve any quarantined mail remaining in quarantine. The link will remain valid until the next Quarantine Report is produced. Thus, if a user believes a message may be in quarantine, and he/she has not yet received a new report, he/she can click on the link in the previous report to find the message.
Note:
If a particular message has multiple recipients and any one of them
releases the message, it will be released to all recipient.
3) Messages
not suspected of being spam will simply be transmitted to the
user, with no further action taken by the spam filter.
Listserv addresses
(i.e., Oberlin listservs with multiple Oberlin addressees) will
not receive the quarantine list messages.
CIT constantly
monitors this system, and responds to user issues (such as not receiving
desired mail), to ensure the configuration established provides the
most efficient and effective spam filtering. Adjustments are made as
needed to ensure optimal performance. Note that it takes some amount
of time for the system to "discover" new spam messages and
act accordingly.
The
User Quarantine Release Notification message telling you that you have
received spam mail which is now being held in quarantine looks like
the message below:
| An email (or emails) sent to you was quarantined as suspected spam. You may view that email message/messages by clicking on the link below (or
copy and paste link in a web browser). You can then Release, Delete, or Whitelist (have messages sent to you directly from this sender without
first being quarantined) by selecting the appropriate box at the right-hand side of the web page. This link is valid for the next ten days. If you save your most current quarantine message, you can check for recently quarantined messages at any time by clicking on the link. If you choose to do nothing with your quarantined messages, they will automatically be deleted after ten days. For further details on the Oberlin College spam filter, please check the CIT web pages (http://www.oberlin.edu/cit/email/spam). Please contact the CIT Help Desk with any questions or problems related to this message.
email: CIT@oberlin.edu
telephone: 58197
https://spamq1.oberlin.edu:443/urq/urqMailList.do?method=processMail&2f31809907d5d0e9664fceaf9a28eb8e115ff09100000000000000521821
Message ID
Sender Subject Size(Bytes) Date Info Multiple Recipients
4833675 1800flowers-return.1267138369@email.800-flowers.net Thanksgiving
Gift Baskets 10%* off! 21544 2004-11-15 09:38:04 SPAMQ TRU ESP70
N |
Note that the link
in the message above takes you to an https: secure server.
Below
is a sample quarantine list.
White-listing
(getting mail to go through without first being quarantined):
If you notice desired
messages being caught as spam (often, these are messages from listservs),
you can check the Whitelist box from the web page you are directed to
from the User Quarantine Release Notification message. Whitelisting
allows messages from a particular sender to always be sent to you automatically,
without being quarantined. If you find a message in your Quarantine Report that you want to receive, and you want to always receive in the future, be sure to check BOTH Release and Whitelist (to get the current message).
The
spam filter provide the following Capabilities:
- Ability for
individual users to create their own "whitelists";
- Ability to delete
messages from the quarantine list - it is highly recommended that this be done routinely, otherwise those messages sit on the server for 10 days, taking up valuable space;
- Ability to view
the quarantine list at any time of the day - just retain the latest Quarantine Report and click on the main link in the message to see your list at any time.
Filtering
of E-Mail With Certain Extensions
In addition to
filtering spam messages, the spam mail filter also filters messages with
certain extensions known to be carriers of computer viruses and worms.
Thus, messages sent with attachments that have any of the below listed
extensions are filtered and dropped from the mail server.
Extensions
dropped:
| adp |
crt |
js |
pif |
vb |
| bas |
dll |
jse |
rar |
vbe |
| bat |
hlp |
lnk |
reg |
vbs |
| chm |
hta |
msc |
scr |
wsc |
| cmd |
inf |
msp |
sct |
wsf |
| com |
ins |
mst |
shs |
wsh |
| cpl |
isp |
pcd |
url |
wmf |
If someone is sending
you a legitimate message with one of these extensions in the name of
the attachment, ask them to modify the extension name to some other
letters. You can then rename it after receiving it.
Attachments
with the extensions mdb and mde are sent directly through to the user,
since they have not been associated (yet) with viruses/worms.
Messages
carrying attachments with the following extensions will have the attachment
dropped and replaced with an attached message from CIT (as depicted
below): exe, msi. These extensions are also known to be
associated with viruses and worms, but are also often associated with
legitimate and desirable files. With the original attachment being dropped,
you won't unwittingly open and spread a virus or worm.
The message from
the original sender will still be sent to you, but it will have an attachment
from CIT which will say: "The original attachment has been removed
from this message because the extension type is associated with viruses.
For more information, please reference the Oberlin College CIT website."
If you receive
this message and you really are expecting a legitimate file from this
sender with an extension of exe, msi, or zip, ask the sender to resend
the attachment after renaming it.
For example: a
sender whom you know sends you a file named helperapp.exe. Once it arrives
at the Oberlin College mail server, the attachment is dropped and replaced
with the above message from CIT. You really need the file, so you write
back to the sender, asking them to rename the attachment helperapp.ext
and resend it to you. They do. Once you receive the file, you rename
it helperapp.exe and access it as usual.
VIRUS FILTER:
After mail passes through the spam filter, it goes through a virus filter that checks for viruses and worms. The product we use is updated several times a week to catch the latest viruses/worms. Once messages pass through the virus filter, they are then processed for delivery to users' inboxes.
If you have any
questions about the filtering process, or need assistance, please contact the Help Desk at x58197
or cit@oberlin.edu.
Click to return to CIT home page
