Spam &
Virus Filtering Guide
Web101 Group is pleased to
offer a Spam and Virus filtering service which scans and identifies
incoming mail containing unsolicited messages and common viruses.
Please read the documentation below to familiarise yourself
with spam and virus filtering. If, after reading all documentation,
you still have questions, please feel free to contact
us and we will try to assist you further.
Introducing Spam and Virus
Filtering
Incoming Mail Handler
Scanners
Spam Filtering
Spam Scoring Table
Things to
consider
Virus Filtering
What should I do when a high
amount of spam gets through the filters?
What should I do when my legitimate
email is being tagged as spam?
What should I do when I receive
notification of virus or attachment removal?
What should I do when a genuine
attachment gets stripped?
How the notification system
works - senders don't get notified, recipients do.
What is Spamhaus, what is ORDB.org?
Email Client setup Guides
Microsoft Outlook
Microsoft Outlook Express
Eudora
MacOS Mail
Webmail
Please note: While we are very
pleased to offer this service, no virus scanner will eliminate
100% of any viruses that may exist now or may be created in
the future. Although we believe the virus scanning system we
have in place is very thorough, we are not guaranteeing that
we can intercept all viruses. Furthermore, our virus/spam scanning
system may periodically be taken off line for maintenance. It
is still your responsibility to have up-to-date virus protection
software installed on your computer. We accept no responsibility
for damages a virus may do to your computer that may not have
been intercepted by our virus scanning system.
The anti-spam feature should dramatically reduce the amount
of spam you receive, though there is no 100% effective method
of catching spam and we do not guarantee that all spam will
be detected and/or eliminated. We also cannot 100% assure that
legitimate email may be not be tagged as spam and cannot be
held liable for an email that may be filtered as a result of
being identified as a virus or spam.
Web101 has introduced a new system for scanning and identifying
incoming mail containing unsolicited messages and common viruses
. The anti-virus system will function by stripping attachments
that are common virus deployment files and identify viruses
by signature. The spam filtering system will tag messages which
the system identifies as spam. The filtering system contains
some major components in order to function.
Incoming Mail Handler
All incoming mail is queued for processing by our Mail-Scanning
Servers. Servers connecting to the Web101 network are checked
for listing on two DNS blacklists; Spamhaus and ORDB (see further below). A third in-house blacklist will be constructed
over the coming months which will list common spam/virus delivery
platforms residing on dynamic IP addresses, such as those
provided by ISPs for ADSL and home cable connections. This
blacklist will not affect customers who send mail through
our SMTP system, it will only block sources of email who have
no business sending email directly via our servers.
Scanners
Mail queued for scanning is scanned in parallel by a Virus
Scanner and by SpamAssasin (Spam tagging utility).
Firstly, the Virus Scanner will identify Virus signatures
contained in attachments and delete the entire message for
positive matches to common Viruses, such as Sobig.F and Blaster.
Other attachments that could potentially be a Virus (e.g.
filename.scr), will be removed but the message text will still
be delivered to the mailbox. (If you are sent legitimate attachments
that are being stripped by the Virus Scanner, you may need
to inform the sender to zip or archive the file first).
Secondly, the mail server performs a test of the entire message
and scores the message according to headers/text found, dictionary
of known spam phrases and the overall format of the message.
A score of 5 or more will identify the message as possible
spam. No single characteristic positively identifies a message
as Spam, but rather a combination of characteristics is scored
and added to give a message an overall spam score.
Spam Filtering
Spam filtering is by no means an exact science. Only approximations
are made, there is no black and white method of identifying
spam. It is inevitable that some spam will slip through the
filters, and legitimate email may be incorrectly identified
as spam. Our system attempts to negate the impact of potential
mixing at the spam/non-spam threshold by giving the user overall
control of mail filtering.
The system will identify spam messages which score above a
5 on the spam scale. The subject line of the message will
be modified indicating the score, enabling you to configure
your email client to filter/delete messages matching a score
that you can define. i.e. "Subject: [Spam Score sssssss]"
The "s" characters indicate the Spam score of the
message. So 5 "s" characters indicate a Spam score of 5, the
minimum score for possible Spam. A score of 20 or more indicates
that the message is blatant spam and the message should be
deleted.
Spam Scoring Table
| |
Score |
Rating |
| |
5 |
sssss |
Low
Spam score. Two or more spam characteristics found. Could
be legitimate email but more likely to be spam. |
| |
6 |
ssssss |
|
| |
7 |
sssssss |
|
| |
8 |
ssssssss |
Low
to Medium Spam Score. A number of characteristics identifies
this message as possible spam. |
| |
9 |
sssssssss |
|
| |
10 |
ssssssssss |
|
| |
11 |
sssssssssss |
Medium
Spam Score. Numerous spam characteristics, very likely
to be spam. |
| |
12 |
ssssssssssss |
|
| |
13 |
sssssssssssss |
|
| |
14 |
ssssssssssssss |
High
Spam Score. Very positive hit identifying spam characteristics.
Definitely spam. |
| |
15 |
sssssssssssssss |
|
| |
16 |
ssssssssssssssss |
|
| |
17 |
sssssssssssssssss |
Very
High Spam Score. High number of very common spam characteristics
identified. Definitely spam. |
| |
18 |
ssssssssssssssssss |
|
| |
19 |
sssssssssssssssssss |
|
| |
20 |
ssssssssssssssssssss |
Extremely
High Spam Score. All common spam characteristics identified.
Message should be deleted. |
You can modify your rules after getting a feel for what kind
of scores your incoming mail is receiving. You might find you
will have to alter your settings if you are getting Spam mixed
with your email or legitimate email is being deleted or moved
because your Spam score threshold is too low. In the future,
customers will be able to configure per mailbox delivery options
for Spam mail based on score, but for now, this system should
reduce common incoming Spam and allow customers to customize
their own filters for borderline Spam identifications.
Virus Filtering
The virus scanner will be able to identify common viruses
and silently delete messages containing such viruses. Not
all viruses will be silently deleted but files containing
viruses will be stripped and potential virus containers will
also be stripped from the message identified by file extension.
Common disallowed file types are:
.reg .scr .exe .pif .com .vb
Files such as Microsoft Office documents, pdf files and images
should not be affected. If you have questions about the complete
list of files we have configured to be stripped, please contact
us at support@web101.com.au
What should I do when a high amount of spam
gets through the filters?
You can forward a copy of the spam to support@web101.com.au with the headers
intact so we can adjust our filters accordingly.
What should I do when my legitimate email
is being tagged as spam?
First check the full headers of the message. You should see
a header called:
X-scanner.giga-sj-001.net-MailScanner-SpamCheck:
Below this header, you will see a brief summary of all the
characteristics which positively identified the message as
spam. They will probably appear a little cryptic, but they
may give you some insight as to why the message was tagged.
If only two characteristics are listed and the score is 5,
then it's likely a once only false positive - adjusting your
client side mail filters to 6 or 7 should prevent these messages
from being deleted or segregated.
If your legitimate mail frequently gets tagged as spam, or
some legitimate messages are being tagged with high scores,
then send a copy of the messages with the full headers intact
to support@web101.com.au
along with an explanation of the occurrence(s) and the legitimacy
of the message, and we will attempt to adjust our filters
accordingly.
What should I do when I receive notification of virus
or attachment removal?
A message which has had a potentially dangerous attachment
removed will be identified by a modified subject line containing
the following:
[Alert - dangerous attachment removed]
or if a virus was positively identified:
[Alert - virus was removed]
If you recognize the sender, you can notify him/her that their
attachment did not get through, find out what it was and once
you have both determined it is safe, have the sender place
the file in a zip file and resend. We recommend that you do
not attempt to notify unknown senders, whose messages are
positively identified as viruses, as it is likely that the
senders address was faked by the virus to hide its true source.
If you are receiving many of the above messages over a short
time frame, please contact us at support@web101.com.au straight away
with a copy of the message and we will attempt to filter the
source, or identify the new strain and add it to our blocking
system.
What should I do when a genuine attachment
gets stripped?
See above.
How the notification system works - senders don't get
notified, recipients do.
If it is a known virus, such as Klez or Sobig, the message
and attachment will be silently deleted at the server and
no notification will be sent to either the sender or recipient.
When an attachment is found that is not a known virus, but
appears to have a virus attachment, the attachment will be
removed but the body of the message will still be sent to
the recipient. The message will also include notification
that an attachment has been removed. The sender will not be
notified.
Common viruses that are silently deleted are:
Klez Yaha-E Bugbear Braid-A WinEvar Palyh Sobig Fizzer Ganda
Mimail Gibe-F
We will add viruses to the list that propagate quickly and
are massively annoying as they are released.
What is Spamhaus, what is ORDB.org?
Spamhaus.org SBL is a carefully compiled and researched list
of known spamming organizations and providers that abuse the
email system without regard for internet users in general.
If a contact attempts to send email to you, and it bounces
back, referring to Spamhaus.org, then your contact or their
ISP/Network Administrator will need to go to Spamhaus for
an explanation of why their IP address or mail server is listed.
Unfortunately, we cannot de-list servers or addresses so please
don't ask us to allow an IP address or mail server through.
For more information, please refer to http://spamhaus.org/.
ORDB.org is a database of known open relay mail servers. An
open relay mail server is a misconfigured mail server which
can be used by spammers to send spam and avoid detection.
A spammer will commonly use multiple open relay mail servers
to send spam, making filtering difficult by administrators
to block such messages. If a contact attempts to send email
to you, and it bounces back, referring to Spamhaus.org, then
your contact or their ISP/Network Administrator will need
to go to http://ordb.org/ to ascertain why their IP address
or mail server is listed. Usually by rectifying the problem
on the senders side, and notifying ORDB that the server is
no longer open relay will result in a de-listing within about
24 hours. Unfortunately, we cannot de-list servers or addresses
so please don't ask us to allow an IP address or mail server
through. For more information, please refer to http://ordb.org/about/.
The following guides will show you how to setup Microsoft Outlook,
Microsoft Outlook Express, Eudora, MacOs and WebMail.
Microsoft Outlook
Microsoft Outlook Express
Eudora
MacOS
Webmail
If, after reading all the above documentation,
you still have questions, please feel free to contact
us and we will try to assist you further.
|
