Indiana University

ComputerScience



 Home

 Contacts

 Courses

 Academics

 Careers

 Research

 People

 Calendar

 Resources

 Facilities
   FAQ
   System Notices
   Help
   Hardware
   Software
   Network
   Policies
   CSG Staff
   Lindley Hall

Email Virus and Spam Filtering

The CS, Extreme, and OSL email servers do a variety of filtering, blocking, and tagging of email messages in order to try and deal with the wide range of threats and annoyances posed by spam and virus-laden email. This policy details this filtering and explains the rationale for each of the steps in this process. Here is a sequential list of the battery of tests that an incoming email message is subjected to before it is delivered.

  1. Virus Detection - We use the Virus Check component of the Sophos PureMessage scanner to detect email containing known viruses. When a virus is detected, the action taken depends on the class of virus detected.

    • High Volume - The newest viruses that appear on the scene can spread with amazing speed and volume. It is not uncommon for more than 5000 copies of a single virus to arrive in just one day. In such cases, we simply discard these messages. This is a silent discard, meaning that a bounce message is not generated since the high volume of bounces can be disruptive.

    • Medium to Low Volume - Some viruses come in with a sufficiently low volume that it is not necessary to silently discard them. In this case, the message is rejected so the sender will receive a bounce message letting them know the message was not delivered.

    The classification of viruses as high volume is just done manually and evolves over time.

  2. Unscannable Attachment Warnings - There are times when the virus scanner is unable to scan an attachment for viruses. When this happens, a warning message is added before the suspicious attachment to let the user know that the attachment that follows could not be scanned and may contain malicious content. This includes the following cases:

    • Encrypted Attachments - When an attachment is encrypted, the scanner may be unable to unencrypt it to scan the contents. There are some viruses that send out encrypted attachments (with the encryption key given somewhere in the message) but there are also legitimate things like bank and credit card statements that come in encrypted. For this reason, we do not block encrypted attachments. Note that the virus scanner is able to identify and block many known viruses that arrive encrypted.

    • Multi-Part Attachments - It is possible to send an attachment in such a way that it spans multiple mail messages. The virus scanner only has access to one part of the attachment at a time so it may not be able to determine if the entire attachment is a virus. Unfortunately, some mail clients will automatically reassemble the multiple parts of the attachment and present a possibly virus-laden attachment to you. These are not very common and it is possible for this feature to be used for legitimate reasons, so we do not block them.

    • Corrupt Attachments - There are occasional attachments that the scanner will determine to be corrupt. This can happen for a number of reasons. For example, the attachment may be a corrupt .gz file, so the scanner is unable to uncompress the file to check it for viruses. We have seen rare cases where the scanner will tag a valid file as corrupt so we do not block them.

    This filtering only applies to incoming email, not email originating on CS systems.

  3. Blacklisted File Extensions - We use the Policy Bundle component of the Sophos PureMessage scanner to reject email containing attachments with certain file extensions. These attachment types include various executable formats that are commonly used by virus writers, including things like Windows .exe and .com executable formats as well as .zip archives that contain these executable file types. When such an attachment is found, the email is rejected and bounced back to the sender with a message stating that the attachment type not allowed.

    Please see the complete blacklisted extension list for the list of all rejected file extensions.

    If you routinely need to send/receive files with one of the blocked extensions, you should rename the file before you email it. For example, if you have a file named program.exe, you can rename it to something like program or program.foo to get through the email system. Once the email is received, the file can be renamed back to the original name.

    Also note that these rejected messages are copied to the quarantine on the server and saved for 2 weeks. If a message that you need is rejected it can be forwarded to you from this quarantine queue during this time. Please submit a request using the CSG Help Desk if you would like assistance recovering a rejected message.

    This filtering only applies to incoming email, not email originating on CS systems.

  4. Suspicious File Extensions - We use the Policy Bundle component of the Sophos PureMessage scanner to watch for other attachments that have suspicious file types. These file types are commonly used by viruses but, unlike the Blacklisted File Extensions, these file extensions are also commonly used to transfer legitimate content. As a result, we do not simply reject them. Instead, we add a warning banner to the message to alert the recipient that the attachment is of a suspicious nature and should only be opened if absolutely certain that the content is not malicious.

    Please see the complete suspect extension list for the list of all file extensions that will trigger the addition of this warning banner.

    This filtering only applies to incoming email, not email originating on CS systems.

  5. IP-Based Blocking - We use the IP Blocker component of the Sophos PureMessage scanner to reject mail connections from mailers in the Sophos-managed list of known spammers. This technique uses the SophosLabs IP address classification policy and you can check if a particular IP address is being blocked by using the SophosLabs IP address classification lookup tool.

    When a mail connection is first established, the IP address of the connecting system is checked against the Sophos list. If a match is found, the connection is immediately dropped with an error like the following:

    Your message was rejected due to spam filtering.Please see http://www.sophos.com/security/ip-lookup?ip=12.34.56.78

    By following the referenced url it is possible to request that the IP address be de-listed. Please let us know if an IP address is improperly listed and we can whitelist it on our servers.

  6. PureMessage Spam Detection - We use the Anti-Spam component of the Sophos PureMessage scanner to try and classify email as spam. Messages are assigned a spam probability from 0-100% indicating the probability that a given message is spam. The action taken depends on the probability range:

    • >99% - Messages in this highest range are rejected by the mail servers with the error message "This message is being rejected as spam". When a message hits this probability range, the chance it really isn't spam is extremely low. When a message is rejected, the sender will receive a bounce message that indicates that the message was rejected as spam.

    • 60-99% - Messages in this range are very likely to be spam, but there is a small false positive rate so we don't reject them. Instead, we add a tag to the Subject line of the message indicating the probability that the message is spam. For example, a message with the subject:
      Subject: Special Offer
      that had a spam probability of 75% would have the subject line rewritten to:
      Subject: [SPAM: ## 75%] Special Offer
      The X-Perlmx-Spam: header is also added containing detailed information about the spam score report. Please see the associated FAQ entry that explains the Subject: line changes and the X-Perlmx-Header.

      If you want to stop the Subject: line rewriting that is done for spam messages, please see the associated FAQ on the subject.

      If you are having email incorrectly tagged as spam, we can add a sender address to what is called the whitelist. Just send the information about the incorrectly tagged email to sysadm.

      If you want all of your email to entirely bypass the PureMessage Spam Detection, we can add your username to the opt-out list. Just email sysadm to do this.

    • 0-59% - Messages in this range have the X-Perlmx-Spam: header added but the Subject: line is not rewritten. The information about the spam score is in the X-Perlmx-Spam: header so you can still use automated filtering tools, such as procmail or feature of various email clients, to automatically filter email in this range.

    This spam filtering only applies to incoming email, not email originating on CS systems.

    You are encouraged to visit the spam filtering FAQ entry for detailed information about how to use these features to filter out spam email.

If you have any further questions about the CS email system, please use the CSG Help Desk.


[Site Map]


Home  ||   FacilitiesFAQ | System Notices | Help | Hardware | Software | Network | Policies | CSG Staff | Lindley Hall


Valid HTML 4.01!

  Page Owner: Webmaster
  Last Modified: Aug 21, 2008   11:43am
IU Computer Science Department
Email: info@IU CS Department