Spam & Virus Filtering

Introducing Spam and Virus Filtering
Incoming Mail Handler
Scanners
Spam Filtering
Spam Scoring Table

Things to consider
Virus Filtering
What should I do when my legitimate email is being tagged as spam?
What should I do when I receive notification of virus or attachment removal?
What should I do when a genuine attachment gets stripped?
How the notification system works - senders don't get notified, recipients do.
What is Spamhaus, what is ORDB.org?

Email Client setup Guides
Microsoft Outlook
Microsoft Outlook 2003 Microsoft Outlook Express
Eudora
MacOS Mail
Webmail

Introducing Spam and Virus Filtering

Please note: While we are very pleased to offer this service, no virus scanner will eliminate 100% of any viruses that may exist now or may be created in the future. Although we believe the virus scanning system we have in place is very thorough, we are not guaranteeing that we can intercept all viruses. Furthermore, our virus/spam scanning system may periodically be taken off line for maintenance. It is still your responsibility to have up-to-date virus protection software installed on your computer. We accept no responsibility for damages a virus may do to your computer that may not have been intercepted by our virus scanning system.

The anti-spam feature should dramatically reduce the amount of spam you receive, though there is no 100% effective method of catching spam and we do not guarantee that all spam will be detected and/or eliminated. We also cannot 100% assure that legitimate email may be not be tagged as spam and cannot be held liable for an email that may be filtered as a result of being identified as a virus or spam.

The best and most effective anti-spam solutions combine server-side and user-side measures. Please follow the instructions below to setup your preferred email program and achieve best results with these anti-spam and anti-virus tools.

Custom Computer Technology Pty Ltd has introduced a new system for scanning and identifying incoming mail containing unsolicited messages and common viruses . The anti-virus system will function by stripping attachments that are common virus deployment files and identify viruses by signature. The spam filtering system will tag messages which the system identifies as spam. The filtering system contains some major components in order to function.

Incoming Mail Handler
All incoming mail is queued for processing by our Mail-Scanning Servers. Servers connecting to the Custom Computer Technology Pty Ltd network are checked for listing on two DNS blacklists; Spamhaus and ORDB (see further below). A third in-house blacklist will be constructed over the coming months which will list common spam/virus delivery platforms residing on dynamic IP addresses, such as those provided by ISPs for ADSL and home cable connections. This blacklist will not affect customers who send mail through our SMTP system, it will only block sources of email who have no business sending email directly via our servers.

Scanners
Mail queued for scanning is scanned in parallel by a Virus Scanner and by SpamAssasin (Spam tagging utility).

Firstly, the Virus Scanner will identify Virus signatures contained in attachments and delete the entire message for positive matches to common Viruses, such as Sobig.F and Blaster. Other attachments that could potentially be a Virus (e.g. filename.scr), will be removed but the message text will still be delivered to the mailbox. (If you are sent legitimate attachments that are being stripped by the Virus Scanner, you may need to inform the sender to zip or archive the file first).

Secondly, the mail server performs a test of the entire message and scores the message according to headers/text found, dictionary of known spam phrases and the overall format of the message. A score of 5 or more will identify the message as possible spam. No single characteristic positively identifies a message as Spam, but rather a combination of characteristics is scored and added to give a message an overall spam score.

Spam Filtering
Spam filtering is by no means an exact science. Only approximations are made, there is no black and white method of identifying spam. It is inevitable that some spam will slip through the filters, and legitimate email may be incorrectly identified as spam. Our system attempts to negate the impact of potential mixing at the spam/non-spam threshold by giving the user overall control of mail filtering.

The system will identify spam messages which score above a 5 on the spam scale. The subject line of the message will be modified indicating the score, enabling you to configure your email client to filter/delete messages matching a score that you can define. i.e. "Subject: [Spam Score sssssss]" The "s" characters indicate the Spam score of the message. So 5 "s" characters indicate a Spam score of 5, the minimum score for possible Spam. A score of 15 indicates that the message is blatant spam and the message should be deleted.

Spam Scoring Table

Score	Rating
5	sssss	Low Spam score. Two or more spam characteristics found. Could be legitimate email but more likely to be spam.
6	ssssss
7	sssssss
8	ssssssss	Medium Spam Score. A number of characteristics identifies this message as spam.
9	sssssssss
10	ssssssssss	High Spam Score. Numerous spam characteristics, very likely to be spam.
11	sssssssssss
12	ssssssssssss	High Spam Score. Very positive hit identifying spam characteristics. Definitely spam.
13	sssssssssssss
14	ssssssssssssss
15	sssssssssssssss	Extremely High Spam Score. All common spam characteristics identified. Message should be deleted. The mail server will not deliver spam with a score higher than 15.

Things to consider

You can modify your rules after getting a feel for what kind of scores your incoming mail is receiving. You might find you will have to alter your settings if you are getting Spam mixed with your email or legitimate email is being deleted or moved because your Spam score threshold is too low.

Virus Filtering
The virus scanner will be able to identify common viruses and silently delete messages containing such viruses. Not all viruses will be silently deleted but files containing viruses will be stripped and potential virus containers will also be stripped from the message identified by file extension. Common disallowed file types are:
.reg .scr .exe .pif .com .vb

Files such as Microsoft Office documents, pdf files and images should not be affected. If you have questions about the complete list of files we have configured to be stripped, please contact us at cct@eplaza.com.au.

What should I do when my legitimate email is being tagged as spam?
First check the full headers of the message. You should see a header called:
X-scanner.giga-sj-001.net-MailScanner-SpamCheck:

Below this header, you will see a brief summary of all the characteristics which positively identified the message as spam. They will probably appear a little cryptic, but they may give you some insight as to why the message was tagged.

If only two characteristics are listed and the score is 5, then it's likely a once only false positive - adjusting your client side mail filters to 6 or 7 should prevent these messages from being deleted or segregated.

What should I do when I receive notification of virus or attachment removal?
A message which has had a potentially dangerous attachment removed will be identified by a modified subject line containing the following:
[Alert - dangerous attachment removed]
or if a virus was positively identified:
[Alert - virus was removed]

If you recognize the sender, you can notify him/her that their attachment did not get through, find out what it was and once you have both determined it is safe, have the sender place the file in a zip file and resend. We recommend that you do not attempt to notify unknown senders, whose messages are positively identified as viruses, as it is likely that the senders address was faked by the virus to hide its true source. If you are receiving many of the above messages over a short time frame, please contact us at cct@eplaza.com.au straight away with a copy of the message and we will attempt to filter the source, or identify the new strain and add it to our blocking system.

What should I do when a genuine attachment gets stripped?
See above.

How the notification system works - senders don't get notified, recipients do.
If it is a known virus, such as Klez or Sobig, the message and attachment will be silently deleted at the server and no notification will be sent to either the sender or recipient.

When an attachment is found that is not a known virus, but appears to have a virus attachment, the attachment will be removed but the body of the message will still be sent to the recipient. The message will also include notification that an attachment has been removed. The sender will not be notified.

Common viruses that are silently deleted are:
Klez Yaha-E Bugbear Braid-A WinEvar Palyh Sobig Fizzer Ganda Mimail Gibe-F

We will add viruses to the list that propagate quickly and are massively annoying as they are released.

What is Spamhaus, what is ORDB.org?
Spamhaus.org SBL is a carefully compiled and researched list of known spamming organizations and providers that abuse the email system without regard for internet users in general. If a contact attempts to send email to you, and it bounces back, referring to Spamhaus.org, then your contact or their ISP/Network Administrator will need to go to Spamhaus for an explanation of why their IP address or mail server is listed. Unfortunately, we cannot de-list servers or addresses so please don't ask us to allow an IP address or mail server through. For more information, please refer to http://spamhaus.org.

ORDB.org is a database of known open relay mail servers. An open relay mail server is a misconfigured mail server which can be used by spammers to send spam and avoid detection. A spammer will commonly use multiple open relay mail servers to send spam, making filtering difficult by administrators to block such messages. If a contact attempts to send email to you, and it bounces back, referring to Spamhaus.org, then your contact or their ISP/Network Administrator will need to go to http://ordb.org to ascertain why their IP address or mail server is listed. Usually by rectifying the problem on the senders side, and notifying ORDB that the server is no longer open relay will result in a de-listing within about 24 hours. Unfortunately, we cannot de-list servers or addresses so please don't ask us to allow an IP address or mail server through. For more information, please refer to http://ordb.org/about/.

Email Client Setup Guides

The following guides will show you how to setup Microsoft Outlook, Outlook Express, Eudora & Webmail. Your requirements dealing with Spam will likely vary to what is illustrated here.

Microsoft Outlook
Open Microsoft Outlook and click on Tools --> Rules Wizard...


You will be presented with the Rules Wizard dialog box. Click the 'New...' button in the top right-hand corner.


Select 'Check messages when they arrive' (the first option) and click the 'Next >' button.


Tick the 'with specific words in the subject' condition in the top select field. In the 'Rule Description' field click on 'specific words' to bring up a new dialog.


In the Search Text dialog enter 'Spam Score sssss' in the 'Add new:' input field. (Note: number of 's' characters refers to the Spam score threshold. The more 's' characters the higher the severity of the email being considered Spam. Refer to the above Spam scoring table.) Click the 'Add' button and click 'OK'.


Click the 'Next >' button.


Tick 'move it to the specified folder' to in the top select box. Click on 'specified' in the bottom select box to bring up a new dialog box.


Create a new mail folder by clicking on the 'New...' button.


Enter a name for your email folder in the 'Name:' field and click 'OK'.


Click the 'Next >' button.


Click 'Next >' again.


Tick the 'Run this rule now...' tickbox if you have mail that needs to be filtered in you inbox and click finish.


All done.

Microsoft Outlook Express
Open Outlook Express and go to Tools --> Message Rules --> Mail.


This will bring up the message rules dialog. Click on the New... button to create a new message rule.


1. (Select the Conditions for your rule:)
Check 'Where the Subject line contains specific words'.

2. (Select the Actions for your rule:)
What would you like done with the questionable email? There are a few options.

Move it to a specified folder
Highlight it with color
Delete it from server

We ask that you do not leave Spam (or legitimate email) on the server as it will cause congestion over a period of time and result in sluggish mail services for everyone.


3. (Rule Description:)
Click on 'Subject contains specific words' and enter 'Spam Score sssss' (Note: number of 's' characters refers to the Spam score threshold. The more 's' characters the higher the severity of the email being considered Spam. Refer to the above Spam scoring table.)


If you selected 'Move it to the specified folder', click on 'specified'.

Select the folder you would like the questionable email to go to. If you do not have a folder, just create one by pressing 'new folder' and enter a name for it. Select it and press the OK button. Press OK again.

Your rules will now be effective the next time you download your email in Outlook Express.

Eudora
Open Eudora and from the drop down menu, click on Tools --> Filters.

You will be greeted with a filter dialog within the main Eudora interface. Click the New button at the bottom of the dialog box.

In the Match pane down the right hand side, check the Incoming check box. From the Header select box, choose 'Subject'. Select 'contains' from the Identifier field and enter 'Spam Score sssss' into the following input box. (Note: number of 's' characters refers to the Spam score threshold. The more 's' characters the higher the severity of the email being considered Spam. Refer to the above Spam scoring table.)

In the Action Pane, select 'Transfer To' from the drop down box if you would like to move suspect email to another folder. However you can select 'Junk' to move it directly to the junk folder.

You can create a new email folder to send your suspect email to, or send it directly to 'Junk'. Click the In Button and select the appropriate folder or create a new one.

Mail filters have now been setup for Eudora.

MacOS Mail
Open Mail and click on Mail --> Preferences...


You will be presented with the Preferences window. Click the 'Rules' button in the top right-hand corner.


You will be presented with the Rules dialog box. Click the 'Add Rule' button on the right-hand side of the window.


Enter a new 'Description' for this rule.


Click on the 'From' drop-down box and select 'Subject' from the list.


Click in the textbox to the right of the 'Contains' drop-down list and enter '[Spam Score sssss]' into the textbox.
(Note: number of 's' characters refers to the Spam score threshold. The more 's' characters the higher the severity of the email being considered Spam. Refer to the above Spam scoring table.)

Make sure that the action is set to 'Transfer Message' to the mailbox 'Junk', if this is not the case, change the drop-down lists to set this action the press the 'OK' button.


The new rule will appear in the list of defined rules. Click the red close button to exit the window.


All done.

Webmail
Login to WebMail as usual :


Click on the Mail icon at the bottom of the page.

Click on the Options icon at the top of the page.

Under 'Mail Management' click on Filters.

Check all 3 tick boxes and click 'Edit your filter riles'.

In the 'Rule Definition' Dialog, tick Subject in 'Field'. Enter 'Spam Score sssss' in 'Text'. (Note: number of 's' characters refers to the Spam score threshold. The more 's' characters the higher the severity of the email being considered Spam. Refer to the above Spam scoring table.) Under Action, check the 'move messages to' radio button and select a folder to store the suspect mail. (You may need to create a folder to store your mail. This can be done under the 'Folders Icon' at the top of the page.) Click the Create button at the bottom of the dialog to save your changes.


Microsoft Outlook 2003


1. Open Outlook 2003 and click on the 'Tools' drop down menu.


2. Click on 'Rules and Alerts...'.


3. Click on the 'New Rule...' button in the 'Rules and Alerts' Dialog box.


4. STEP 1: Under the 'Stay Organized' category, select 'Move words with specific words in the subject to a folder'.


5. In 'Step 2:' click on the 'specific words' link to show a new configuration dialog.


6. In the 'Specify words or phrases..' field enter 'Spam Score sssss'. (Note: number of 's' characters refers to the Spam score threshold. The more 's' characters the higher the severity of the email being considered Spam. Refer to the above Spam scoring table.) Click the 'Add' button.

7. Click 'OK' to return to the 'Rules Wizard' dialog.


8. Click on the 'specified' link to choose a folder to redirect scored email to.


9. Select 'Personal Folders' in the folder tree and click the 'New...' button on the right-hand site of the dialog.


10. Type a name for the folder in the 'Name:' field and click 'OK'.


11. Select the folder you created in the folder tree and click 'OK'.


12. Click next at the bottom of the dialog box.


13. Click next at the bottom of the dialog box.


14. Click next at the bottom of the dialog box.


15. Click next at the bottom of the dialog box.


16. Click finish at the bottom of the dialog box.