UNC-Chapel Hill Spam Filtering Service

Introduction

Email fraud and phishing are two of the most dangerous security threats delivered in email, often resulting in identity theft, financial losses and compromised security.

Identity theft attacks are typically initiated through email by scammers pretending to be well-known companies. These messages encourage you to click on links within the message to visit a website that may ask for account numbers, passwords and other personal information.

Many people believe they are protected from phishing scams and email fraud by their antivirus, firewall, antispam and antispyware software. In fact, these software products do not completely prevent email fraud and many victims using these security products are at increased risk because they have been lulled into a false sense of security.

What is Spam?

Spam is flooding the Internet with many copies of the same message, in an attempt to force the message on people who would not otherwise choose to receive it. Most spam is commercial advertising, often for doubtful products, get-rich-quick schemes, or quasi-legal services. Spam costs the sender very little to send -- most of the costs are paid for by the recipient or the carriers rather than by the sender.

How Should I Handle Spam?

It is tempting to try and reverse the spam emails or write them nasty letters, but that doesn't work. Neither does unsubscribing from their emails.

The reason is that most spam emails usually reach us by accident initially. If we respond in any way (clicking on links, "unsubscribing", or replying, that confirms our email address and the spam will grow exponentially.

Here are a few rules for handling spam:

1. Never reply to them

2. Never click on a link that is inserted in a spam email

3. Never "unsubscribe" from them...after all, you cannot unsubscribe from something you never subscribed to in the first place. If nothing else, sending an unsubscribe request just confirms that the spammers have reached a valid email address.

ITS Spam Filtering

Combating spam has become a common practice for e-mail users. Your best recourse is to block their mail before it reaches you. A mail filter will watch your incoming mail and search it for indications of unsolicited content. A mail filter can substantially reduce the volume of spam you have to address.

The spam filter that UNC-Chapel Hill employs is provided by Proofpoint. All users of the central campus email system (email.unc.edu) are opted-in to this service by default. The Proofpoint solution provides its users a convenient way of getting rid of most spam messages automatically and gives you a choice of options for dealing with "too close to call" messages.

A Glossary of Terms

Before going into greater detail about the UNC-Chapel Hill Spam Filtering system, a few terms will be encountered later and need to be defined.

Table 1. Glossary

Term	Definition
Blocked Senders	A list of "bad" addresses or domains from which you wish to receive no email.
Digest	A digest is an email that you will receive twice a day, which contains a listing of all spam messages that are in your quarantine, and the spam scores that they received. From here you can view the contents of the messages, report them as not spam, release them to your inbox, or add the senders to your Safelist.
Domain	Domain names are addresses used on the Internet, such as hotmail.com. You can block or allow mail from an entire domain.
Policy	A predefined ruleset that determines how messages with differing classifications of spam are handled for a specific user.
Profile	Your profile is the area that you access to change your spam handling presets. You can also access your blocked senders, safelist, and quarantine from here. Visit http://mail.unc.edu/spam to access your profile.
Quarantine	Holding area for known and possible spam that was caught by the filter. Messages will remain here for 28 days, or until you mark them as "not spam." The email messages in your trap can be viewed by going to the spam filtering service web interface at http://mail.unc.edu/spam
Spam Score	A score assigned to a piece of mail. The score is determined by a set of rules that mail is checked against for known spam issues, and will range between 0 and 100.
Tag and Forward	The spam filtering system has an option to only tag potential spam messages by prepending the spam score information to the subject line of the message instead of trapping them in the Quarantine.
Safelist	A list of "good", or known, addresses or domains. Messages coming from a whitelisted domain or address will never get marked as spam.

How the Spam Filtering System Works

All messages destined to your Inbox will be analyzed by the spam filter and assigned a spam score, to help you determine if the message is spam, and if so, what to do with it. The score ranges from 0 (not spam) to 100 (spam). The score that a message receives is used to classify it in the following categories: certain spam, possible spam, and not spam. Based on what policy setting you choose, you may receive a digest email if you have messages classified as possible spam waiting in your quarantine. The spam system in general classifies messages scoring in certain ranges into the following categories. Any policy that deviates from these ranges will be defined elsewhere.

• Certain Spam - Messages scoring between 95 and 100
• Possible Spam - Messages scoring between 50 and 94
• Not Spam - Messages scoring below 50

Logging in to the Spam Filtering System

1. Go to http://mail.unc.edu/spam

2. Log in with your Onyen and password. After successfully logging in, you will see the following page, with the Profile, Quarantine, and Lists secions available to you.

Profile - Choosing your Policy

In the Profile section, you can choose which policy to use for your spam filtering. There are five policies that you can choose from: Default, Standard Quarantine, Extended Quarantine, Tag and Forward, and Aggressive. The actions that apply to each classification of message for each policy are listed below.

Table 2. Definitions

	Tag and Forward	Default	Standard Quarantine	Extended Quarantine	Aggressive
Certain Spam	delivered	deleted	deleted	quarantined	deleted(75-100*)
Possible Spam	delivered	delivered	quarantined	quarantined	quarantined(40-74*)
Not Spam	delivered	delivered	delivered	delivered	delivered

* denotes an adjusted spam score range for this category

In Tag and Forward mode, all certain and possible spam messages will be delivered, but with the Subject line altered to contain the spam score of the message. An example Subject line might look like:

Subject: [Spam: 95] Mortgage Rates at an all time Low!

Messages classified as Not Spam will not have their Subject line altered. When using the Tag and Forward policy, you may want to set your email client to filter these messages into a folder based on the Spam tag in the subject. Instructions on setting that up can be found at http://help.unc.edu/5774.

Quarantine

If you are using either of the Quarantine policies, the Quarantine is the holding area for messages classified as Possible Spam that you can choose to act upon or, ignore. If you do nothing to messages in your Quarantine, they will be automatically deleted after 28 days. When new messages are added to your quarantine, you will receive an e-mail digest message in your Inbox listing all of the messages there. Digests are sent twice daily, at 7am and 3pm. You can also access your quarantine via a web interface at http://mail.unc.edu/spam. You can read and take action on quarantined messages from the digest email or in the web interface. The actions you can take are:

• Release - Remove the message from Quarantine, and send to your Inbox.
• Not Spam - Report the message to the system as legitimate e-mail. This feedback will help the system learn that future messages like this one are not spam.
• Safelist - Adds the sender address of the message to your Safelist.
• Delete - Removes the message from your Quarantine. This happens automatically on the message after 28 days, if not released before then.

Lists (Safelist/Blocked Senders List)

The Lists section allows you to add email addresses and/or email domains to a list from which the spam filter will either always allow (Safelist) or always reject (Blocked Senders) messages addressed to you. To add a new item to either of these lists follow these steps:

1. Login at http://mail.unc.edu/spam

2. Go to the Lists section

3. Choose the list you want to modify

4. Click the New button

5. Enter the e-mail address or domain you would like to add to the list

6. Click Save

Digest Email

This section only applicable if you are using either of the Quarantine policies.

If you have new messages in your Quarantine, you will receive a Digest Message in your Inbox. This message will list the messages that are being held, and gives you the same options as listed above in the web-interface. Digest Messages are sent twice daily. If you have no new messages in your Quarantine, you will not receive a Digest Message.

Here's an example of what a digest message looks like:

Some actions you can choose from a Digest Message are:

• Request New End User Digest - Sends you an updated copy of your digest. Automatic digests go out once in the morning, and again in the late afternoon.
• Request Safe/Blocked Senders List - Sends you a copy of all email addresses and domains that are currently in your Safe and Blocked Senders lists.
• Manage My Account - Takes you to the web interface where you can manage your profile, lists, and Quarantine
• Help - Takes you to this document.

Dealing with False Positives

ITS's anti-spam solution is effective, but not perfect. We have seen a small number of instances where a legitimate message receives a spam score of 100 and is discarded as spam. If you believe that you are not receiving messages that you should, you have several options available to you:

• Add to your Safelist any non-UNC recipients that you suspect might be receiving, and have them send you a test message.
• Switch to the Extended Quarantine policy. With this policy you will begin to receive digest messages containing all messages that fall into the possible or certain spam categories (scoring 50-100). You can then report as not spam and safelist any legitimate messages that have been mistakenly scored. Once you have safelisted any senders that these types of messages come from, you may choose to go back to one of the other policies that best suits your needs.
• Switch to the Tag and Forward policy, and watch for any messages scoring higher than 95 that are legitimate. Add these to your Safelist as necessary. Once you are no longer seeing false positives, change back to the policy that you prefer. While in Tag and Forward mode, you may wish to have tagged messages sent to a seperate folder. Instructions for setting this up can be found here.
• Submit a help request to have ITS check the server filter logs for any messages that you did not receive. For ease of troubleshooting, please provide as much specific information about the expected message as possible (sender address, date sent, subject, etc.). If a false positive is found, ITS staff will release the message to you and add the sender to your safelist to prevent a second occurrence. This request must be made within 8 days of the send date of the message in question.

Additional Help

For a list of answers to Frequently Asked Questions about the Spam Filtering System, see the UNC-CH Spam Filtering Service FAQ .

• Administrative (Remedy, Financial)
• Advanced Computing (Research, Statistics)
• Blackboard (Educational Technology)
• Campus Information (Calendars, Directories)
• Communication (Phones, Conferencing)
• Data Storage (Backup, Recovery)
• Email (Lists, Webmail)
• Networking (Wireless, VPN)
• Security (Policy, Viruses)
• Software (MS Office, Operating System)
• Support (Laptops, Printing)
• Web (Browsers, Web Design)