IRT > HelpCentral > Fighting Spam

IRT

  • NEWS!!
  • About IRT
  • Facilities
  • Policies
  • Strategy
  • Tech Updates

    • SERVICES

  • Computer Accounts
  • Computer Marketplace
  • Mass Mailing
  • Telephone Services
  • Bb/Vista
  • Workshops

    • SUPPORT

  • HelpCentral
  • Networking
  • System Status
  • The Computer Fixer
  • Web/Media Support
  • Virus Information

    • SEARCH IRT:
     

    CONTACT IRT

    IRT SITEMAP

     

    Fighting Spam

    Unsolicited bulk e-mail, commonly called "spam," is a problem for every electronic mail system on the Internet today. Drexel is no exception. This form of net abuse is known to virtually everyone who has ever had an e-mail account. It is commonly estimated that spam on the internet is doubling every three or four months.

    Server-based spam defenses (what IRT does)

    Our server-based spam defenses block and filter the vast majority of the spam which is sent to Drexel mailboxes. Here are the mechanisms we currently have in place.

    Blocking Lists

    Our first line of defense is a set of remote blocking lists that are maintained by various spam-fighting organizations (for example, Spamhaus). These are lists of computers and servers which are either known spam sources or known to be vulnerable to spam operations. These lists are generally updated frequently each day.

    Drexel also maintains its own additional blocking list, based on the largest-volume spammers to get through to our servers. We generally update this list each day based on the previous day's spam haul.

    We also use an internally developed utility which does enhanced matching against blocking lists. (This utility alone blocks between 30,000 to 250,000 spam items daily.)

    Spam blocking should protect us against systems which are dedicated to generating spam. It should have a very small chance of rejecting a real piece of email. We are conservative in the blocking lists we use; occasionally we stop using a particular external list if its blocking criteria are too aggressive.

    While not likely, it can happen that a legitimate email source gets blocked. All blocked messages are returned with an appropriate error code, so the sender can see that the message was not delivered. If you believe you have not received a desired message due to Drexel's spam blocking, please contact IRT's Help Desk at consult@drexel.edu.

    Spam filtering (PureMessage)

    Spam that is not blocked based on its source then hits our second line of defense, the Sophos PureMessage spam filter system. PureMessage evaluates each email item individually for a long list of possible spam indicators in both the email headers and the contents. The more clues that match, the higher the probability that the item is in fact spam.

    At Drexel, any message that PureMessage thinks has at least a 70% chance of being spam is tagged and moved to the recipient's individual Junk E-mail folder.

    You can see the spam-likelihood score that PureMessage has assigned to any particular piece of email, as well as the factors behind that score, by looking at the full email headers. (Although Cornell's implementation of PureMessage is a bit different than ours, their PureMessage web page offers a good explanation of the principles.)

    PureMessage makes available (and we apply) updates to their spam-detection rules nearly every day.

    Tagged Spam

    Any message with a score of 70 or greater (which according to the SPAM utility and our own testing is virtually always spam) will have a prefix [SPAM:XXXXXXX] added to the subject line of the message. The number of X's correspond to the spam score (eg. 7 X's=70,9 X's=90. Global filtering has been set up to file any message with this in the subject line into the email client's Junk E-mail folder for both Exchange and IMS mailboxes. This means SPAM won't be deleted by the system, but will be automatically filed in a mailbox folder readily accessible to the user.

    Managing your Junk E-mail folder

    As with any folder, IMS Users must subscribe to the Junk E-mail folder to view its contents. Because only IMAP use the Junk Mail filtering reliably, the folder will not be visible to POP3 users. However, those users can use Webmail or an IMAP client to view it if desired.

    The mail server will expire the contents of the Junk Mail folder in 28 days -- IMPORTANT: users are responsible for checking their Junk E-Mail folder for messages incorrectly identified as spam.

    Once per week, the Exchange server will also expire messages older than 28 days and will move the messages into the user's deleted items folder. It will also send a short mail message indicating how many messages have been moved.



    As we all know from the regular offers we get for instant wealth from distant shores and unnatural enlargement of body parts, despite all of these defenses, some spam still gets through. We estimate that PureMessage is detecting about 90% of the actual spam that gets past the blocking. We are currently evaluating alternatives to PureMessage to see if any of its competitors might do a better job.

    What You Can Do About Spam:

    Keep your email address off the spam radar

    • * Don't post your address on a publicly searchable web page if you can avoid it. (It's good practice for departments and organizations to use functional rather than personal addresses, such as our consult@drexel.edu.)
    • * Only give out your email address to reputable organizations with good privacy policies (yes, you should read the privacy policies)
    • * For all other sites, if you must give out an email address, use one you don't care about (a free one from a service like hotmail for example).
    • * Don't ever reply to spam or use the "option" to unsubscribe -- that just tells the spammer they have found a real person willing to read what they are sending. (See http://www.spamhaus.org/removeisformugs.html .)

    Protect your PC from viruses and malware

    Spammers want to infect your PC so they can get all of the email addresses in your address book, and so they can use your PC as a "zombie" to send out more spam. By following good security practices, you are protecting your friends and your community as well as yourself. See http://www.drexel.edu/irt/support/Virus.html for information regarding virus protection, critical updates, Windows firewall and more.

    Report untagged spam

    Sophos encourages its customers to send any missed spam back to them; this helps them improve the PureMessage filtering rules. Send the offending email with full mail headers to spamreports@drexel.edu, which automatically forwards on to Sophos.

    About full mail headers: Most email clients only display the To:, From:, Date: and Subject: lines of the headers. However, what we don't normally see as email recipients is the path which the email followed from its original SMTP outbound server to reach our inbound mail server. This header information is critical for the spam detection effort. (SpamCop is a public site dedicated to helping rid the net of the spam nuisance. Use the link above to get the scoop on where to find this header info for your particular mail client.) Send the header info to spamreports@drexel.edu.

    Note: To report other types of network abuse, such as Denial-Of-Service attacks, compromised computer connections from outside Drexel, or other unauthorized use of network resources, use Abuse@drexel.edu.

    Block automatic display of images

    Unwanted, disturbing images are a particularly upsetting aspect of spam. Automatically loading "images" can also trigger malicious software.

    For web-based email clients such as DrexelOne and webmail, your main defense is to only open email from recognized sources.

    If, however, you need to open emails from people you don't know, then you need the additional capabilities that desktop email programs offer. IRT supports Outlook and Outlook Express (for Windows), and Entourage and Apple Mail (for Mac). These programs all offer the ability to turn off automatic image display and/or automatic loading of remote images. For instructions on setting up these programs to work with Drexel's email servers, see http://www.drexel.edu/irt/support/ConfigureEmail.html .

    Using spam-filtering software on your own computer

    If you are really frustrated with all of the spam in your inbox, then you may want to invest some time in setting up and training spam-filtering software on your own computer. Outlook, Entourage and Apple Mail all have built-in spam filtering capabitilies that you can choose to turn on. There are also add-on spam filtering products you can install.

    We (IRT Help Desk) are still exploring these options and do not have any specific instructions or recommendations yet.

    Frequently Asked Questions

    Q1. The email I sent to my colleague at hotmail (Comcast, yahoo, AOL, ...) was rejected as spam!

    Occasionally outside companies -- sometimes even some of the major ones who should know better -- get too aggressive in their spam blocking lists and reject mail from perfectly fine servers such as ours. If this happens to you, please send the email with the bounce message to us at consult@drexel.edu, and our email administrators will work with the outside service to get the problem fixed. You could also ask your colleague to notify their service of the problem.

    Note: if you are using a departmental email server then you should notify that server's administrator.

    Q2. Why is there tagged spam in my inbox?

    Tagged spam (subject starting with [SPAM:XXXXXXX) should always go straight to the Junk E-mail folder. We've seen some cases in Outlook where this is not happening automatically. To solve this problem, please follow our instructions for creating a rule.

    This is especially important for people who use a hand-held device (such as a Blackberry or a Treo) to receive email directly. No one wants to be notified of each incoming piece of spam.

    Q3. A real piece of email was sent to Junk E-mail!

    Case 1: the server-side filter goofed. In this case, you'll see the tell-tale [SPAM:XXXXXXX tag in the message subject. While the rate of "false positives" is very, very low at the 70% setting, every once in a great while we do see a non-spam item falsely tagged and filtered into the Junk E-mail folder. For this reason we strongly recommend you glance at this folder at least once every 28 days so that you can catch and rescue any such error. Please also send the incorrectly tagged email (with full mail headers) to consult@drexel.edu, so we can try to prevent the problem in the future.

    Case 2: your local filter is at work. If the wrongly filtered item is not tagged (that is, the subject does not start with [SPAM:XXXXXXX), then the server-side filtering is not the cause. Rather, this is an indication that some additional spam filtering is happening within your email program, even if you didn't realize it. Recommendation: turn your local filtering off, or spend the necessary time tuning it and checking the results.

    This page was last updated by Beth Hazany, IRT, 10/1/07. Please send questions or recommendations regarding this content to consult@drexel.edu, attention Beth.
     

     Modified: October 3, 2008 Home Contents Index Contact Us Search Feedback / Corrections