AUBnet against spam

• Why do we filter incoming internet email?
  
  Initially AUB did not filter email at a university wide level as we believe that each individual has the right to receive the email he wants to see. So we left it up to the users to determine what to do with the email they receive using their own email software filtering tools.
  
  The spammers gained in sophistication and in fraudulent spamming techniques and they also gained access to huge email delivery resources and to millions of unlawfully collected email addresses.
  
  Many members of the AUBnet community receive tens of these emails daily and a growing number of them find these messages so irritating that they complain to CNS asking for help. They find it very difficult, even impossible, to trace or block spam and they don't want to deal with that burden alone.
  
  On the other hand, we need to protect our email setup from overload and keep on providing an acceptable email-quality of service.
  

   
  

• What is spam?
  
  The term "spam" is slang for unsolicited junk email. Unsolicited email is email that you did not request. the most common spam includes the following:
  • ads for all kind of products
  • chain letters
  • pyramid schemes, including multi-level marketing
  • quack health products and remedies
  • "viagra" or "sex enhancement" schemes
  • "get rich quick" or "make money fast" schemes
  • foreign bank scams or advance fee fraud schemes
  • ads for phone sex lines and pornographic web sites
  • offers of bulk emailing services for sending unsolicited commercial email
  • pirated software ("warez")
  • viruses and trojans
  
  We acknowledge that it is embarrassing to have a colleague or supervisor come up behind you just as you're trying to delete a message with a subject line of "your hot sexxxy date", but you should realize that he or she likely has received similar messages! it is after all an unsolicited email message.
  
  You won't get in trouble for receiving spam at your AUBnet account unless you forward them to someone else, or you reply to them.
  

   
  

• Who sends spam?
  
  Many advertisers obtain your email addresses from vendors and other on-line services who sell the lists. Some find your email in the return address fields of your postings to newsgroups. Some have inside help obtaining internal mailing lists of organizations. Many use software that "crawls" the internet looking for email addresses. One way or another, without much cost, they find you.
  
  Most spammers send email with fraudulent return addresses, which they use once. If you hit the reply button on your email client, your reply is likely to bounce back with errors such as "no such user" or "no such domain."
  
  Many spam messages include a note on how to unsubscribe to the service that sent the spam. In most cases, this is a fraud. Even though you receive an error message (see above), in many cases the spammer gets a copy of your reply anyway, and then uses it as proof that your email address is active and can be kept on their list. Moreover, it is unwise to visit the unsubscribe websites because they too are a source for spammers who collect active email addresses.
  
  Many spammers hijack other people's computer servers and use them to send their messages. They steal server capacity and bandwidth. They use sophisticated internet scanning tools to hunt for systems with open send-mail ports and then start pumping mass mailings through the hijacked server.
  

   
  

• What is spam blacklisting?
  
  Many organizations actively monitor their mail servers for obvious spam and notify a blacklisting service. If the spam continues after a notification period, the blacklisting service adds the domain of the spam source to its database. Other organizations regularly consult the blacklist database and refuse mail from any of the blacklisted sites.
  
  This can have important consequences for AUB. An individual sending bulk and blind advertising email using AUB domain or AUB name as a reference in one way or the other can trigger another organization's spam monitoring software to blacklist AUB. Suddenly AUB users who want to communicate with people in organizations that subscribe to the blacklist service, will find that their emails are labeled as spam and do not go through. It takes a time-consuming set of actions by a system administrator to remove AUB domain from the blacklist database.
  

   
  

• How is CNS currently reducing spam?
  
  Currently AUB relies on spamassassin, an open-source mail filter software distribution, to identify and reduce spam. Spamassassin uses a wide range of heuristic tests on mail headers and body text to identify "spam" and supports many blacklists.
  
  CNS selected spamassassin because it uses a wide variety of local and network tests to identify spam signatures. This makes it harder for spammers to identify one aspect around which they can craft their messages. Plus, it comes at the best possible price, free.
  
  Besides spamassassin, AUBnet peripheral mail hubs will continue to use a "real-time blocking list" or rbl to block mail from blacklisted mail hubs that are known to be sources of spam, such as spamhaus.org, spamcop.net and mail-abuse.org .
  
  AUB uses databases such as spamhaus.org, spamcop.net and mail-abuse.com which store a list of verified open mail hub relays. These relays are, or are likely to be, used as conduits for sending unsolicited bulk email.
  
  The peripheral mail hubs will also be set to use some other techniques to refuse acceptance of incoming mail from remote mail hub with no reverse address or from invalid reply addresses.
  
  Refusing to accept incoming mail from remote mail hubs with no reverse address is an extremely efficient spam control technique but our test revealed that many legitimate mail hubs do fall under this category, due to the carelessness of the mail hubs administrators or their organization domain name administrators.
  

   
  

• How do we process spam messages?
  
  Email messages that come from the internet via AUBnet central mail hubs are scanned by an anti-spam filtering system (spamassassin). The filters work by looking for specific characteristics, and assigning a positive or negative 'score' value to each one encountered.
  
  Some of the things the filters look for are obvious - words like "viagra" and "make money fast" in the message all add small positive amounts to the score. The text that comes as part of images, or is downloaded from the web only when you actually read the message, can't be scanned but the filters do assess the message for how much text they contain as against how much web content.
  
  At the end, a message's total score is compared to the following preset threshold levels
  
  
  • definitely-spam-score: greater or equal to 5
  • possibly-spam-score: greater than 4 and less than 5
  • unlikely-spam-score: less or equal to 4
  
  Please notice that CNS might adjust the threshold levels in response to permutations in the spamming patterns and techniques and will exercise due efforts to update this page accordingly and in a timely manner.
  
  Based on the message's total score, spamassassin marks the message to indicate whether or not the message is spam. We have configured this marking to be non-visible by default. It adds a few lines of text into the header of the message and processes the message as follows:
  
  
  1. If the score is above the definitely-spam-score level, the message will be classified as "definitely-spam" and dropped and spamassassin returns below message to the sender.
  
  
  

  dear sir or madam, AUB mail hub classified your mail to <AUBnet email address> as unsolicited email, so we won't process it! the pattern recognition is highly prone to faults. If this is the case, please accept our apologies and email your complaint to false-spam@aub.edu.lb. We use spamassassin for detecting spam. Please see their web page at http://www.spamassassin.org/ if you'd like to know why your email has been tagged as spam. Here is the 'spam status' header from spamassassin: < . .. > Best regards, Original message:

  
  
  
  2. If the score is a possibly-spam-score level, then the message will be classified as "possibly-spam". The message will be marked with "x-cns-detected-spam" signature in the message header and *CNS-detected spam* in the subject before being delivered to the recipient inbox.
  
  
  

  x-spam-score: 4.2 (++++) x-spam-report:AUB spam detection software, running on system "mx2.aub.edu.lb": content analysis details: (4.2 points, 4.0 required) pts rule name description ---- ---------------------- ------------------------------------------- 0.5 weird_quoting body: weird repeated double-quotation marks 0.4 html_tag_balance_html body: tells you to 'take action now!' 0.5 html_20_30 body: message is 20% to 30% html 0.0 html_message body: says: "to be removed, reply via email" 1.1 mailto_to_spam_addr uri: includes a link to a likely spammer email 1.3 pling_pling subject has lots of exclamation marks 0.0 click_below asks you to click below 0.2 mime_bound_nextpart spam tool pattern in mime boundary 0.3 uppercase_25_50 message body is 25-50% uppercase x-spam-flag: yes x-acl-warn: x-CNS-detected-spam subject: *CNS-detected spam* fw: new cellular !!!

  
  (Please refer to your specific email client "AUBnet spam management guide" for detailed instructions on how to filter those messages to a "junk e-mail" folder for further review)
  
  
  3. If the score is below the unlikely-spam-score level, the message header will be tagged as follows and the message will be passed to its destination in a normal manner.
   
  
  

  x-spam-score: 0.2 (/) x-spam-report:AUB spam detection software, running on system "mx1.aub.edu.lb": content analysis details: (0.2 points, 4.0 required) pts rule name     description ---- ---------------------- ------------------------------- 0.2 html_50_60     body: message is 50% to 60% html 0.0 html_message     body: html included in message

  
  
  

   
  

• What to do if the blocked message is not spam?
  
  Although CNS carefully tuned spamassassin to detect spam while allowing genuine messages through, occasionally it may wrongly mark a genuine message as spam. Messages marked as spam that are not spam are called 'false positive' or 'false spam'.
  
  You can report "false spam" to a special address false-spam@aub.edu.lb where the messages will be checked and added to a "white list".
  (Please refer to your specific email client "AUBnet spam management guide" for detailed instructions to recover and report "false spam")
  

   
  

• What's a white list?
  
  A falsely marked 'genuine source address' will be added to a 'white list'. The white list will prevent spamassassin from classifying messages from that genuine email source as spam again.
  

   
  

• Why do I receive "undelivered email" or "virus infected email" notices from people that I did not correspond with?
  
  Most spammers send email with fraudulent sender addresses and they might use your address to launch a spam or virus attack on other users. The user or site under attack might reply to the sender address (being you in that case).
  
  In other instances, the source of the fraudulent sender address attack is an email trojan that infected the computer of a correspondent with whom you exchange email and who has stored your address in his/her address book. The worm will collect your address from the address book and use as the email sender of an email attack on other users collected from the same address book.
  

   
  

• why do I still get spam?
  
  Unfortunately spam prevention is a best effort endeavor. Although the techniques used by spamassassin are very successful, and can be tuned over time to recognize spam even better, benchmarks show that just over 80% of the spam can be detected.
  
  Spamassassin is widely adopted by universities and around the world, and is being constantly developed to improve its detection rate. Of course, spammers are at the same time adapting their techniques to beat it and the advantage will constantly swing from one side to the other.
  
  AUBnet users can complement the university-wide spam control by:
  
  • Setting up their personalized email filters to block spam from entering their mailbox.
    (Please refer to your specific email client 'AUBnet spam management guide' for detailed instructions on how to add a personalized filter)
  • Deleting spam emails and not wasting time analyzing how to block them
  • Never replying to spam or attempting to unsubscribe to spam servers

   
  

• How can I set my personalized email filter?
  
  Please refer to your specific email client "AUBnet spam management guide" for detailed instructions:
  

  Document Name	File Format
  Outlook 2000, outlook xp, outlook 2003
  Outlook express
  Eudora 5.x
  Pegasus 4.x
  Imail