Quarantine email, blocked, and anti-spam email

Quarantine email, blocked, and anti-spam email factors

• Emails are generally given points for spam factors or triggers. Generally emails with more than 50 points will be quarantined and over 100 points will be dropped. Most factors are assigned points and also a weight for those points. The weighted sum of the factors (ESP score) is considered for a total score.

• If you view the header of emails, you should see a header called X-ESP.  This shows the different weighted points assigned for different checks (factors) considered for SPAM.

White list

• Email addresses can be white-listed. This is to set up exceptions for email address or domains so that the checks are not performed on email from those addresses. If a help call is made requesting an address be white-listed campus wide, the anti-spam administrator will make a judgment call as to whether all users will really want email from that address.  We do not white list forged MSCD addresses. An email that says it is sent from something@mscd.edu but is sent from off-campus will NOT be white listed.

•  Users can privately white-list particular From email addresses if email ends up in their Quarantine list. This will let the email come through to them only. Many private quarantine requests are denied because the From address has gibberish in it indicating it was from an automated one-time from address and is not likely to be used again.

Points for spam

• We will take our anti-spam vendor’s recommended points for each factor and recommended weight for each factor to get the total points. Discussions with our anti-spam vendor and with the college attorneys were major considerations in making the decision to take these values.  This is not a matter we open up for people to constantly suggest changes.  

• With limited people to manage the anti-spam units, we do not generally customize settings just to block particular SPAM. The appliance works according to rules for email affecting the whole campus. We do NOT try to block 100% of SPAM. This was agreed to by the IT management team. Some people want and demand what most people consider objectionable.

Specific factors

• RBL (Real-time black list) indicates the email was sent from a known spamming site.

• RDNS (reverse DNS check) check that the email from-domain or email matches the ip the email was sent from.

• UHA (User defined Header Analysis)  Checks for common SPAM email subjects and From-addresses

• SHA (System defined Header Analysis) includes DNS lookup, forged From email addresses and domains (for example email from an address ending in mscd.edu but not sent from the campus network IP 147.153.x.x is forged), identical to and from address,  missing headers to, From, CC header fields, and subject, size greater than 500 KB, non-conformance to rfc standards, reply-to address empty and other factors.

• SLS (Statistical lookup service) checks the email to see how often it has been sent to other sites.

• DICTIONARIES are collections of phrases used by spammers.

• BAYES is a check for words commonly used in SPAM

• Sample email header

  • X-ESP   ESP<43>=RBL:<25> RDNS:<17> SHA:<11> UHA:<0> SLS:<0> BAYES:<-11> SenderID:<0> URL Substring Dictionary (TRU8):<0> Spam Dictionary (TRU8):<0> NigeriaScam Dictionary (TRU8):<0> Sober-German:<0> HTML Dictionary (TRU8):<1> Porn Dictionary (TRU8):<0> Embed HTML Dictionary (TRU8):<0> Obscenities Dictionary (TRU8):<0> URL Dictionary (TRU8):<0> CAN-SPAM Compliance Dictionary (TRU8):<0> mscd custom dictionary:<0>

    Original-recipient rfc822;cedillol@mscd.edu

• To view email headers, do the following:

  • From Outlook, open the email

  • From the Menu Bar, choose  View /  Options/  Internet headers box