Spam & Virus Filtering
Introducing Spam and Virus Filtering
Incoming Mail Handler
Scanners
Spam Filtering
Spam Scoring Table
Things to consider
Virus Filtering
What should I do when my legitimate email is being tagged as spam?
What should I do when I receive notification of virus or attachment removal?
What should I do when a genuine attachment gets stripped?
How the notification system works - senders don't get notified, recipients do.
What is Spamhaus, what is ORDB.org?
Email Client setup Guides
Microsoft Outlook
Microsoft Outlook 2003
Microsoft Outlook Express
Eudora
MacOS Mail
Webmail
Introducing Spam and Virus Filtering
Please note: While we are very pleased to offer this service, no virus
scanner will eliminate 100% of any viruses that may exist now or may be created in the
future. Although we believe the virus scanning system we have in place is
very thorough, we are not guaranteeing that we can intercept all viruses.
Furthermore, our virus/spam scanning system may periodically be taken off
line for maintenance. It is still your responsibility to have up-to-date
virus protection software installed on your computer. We accept no
responsibility for damages a virus may do to your computer that may not
have been intercepted by our virus scanning system.
The anti-spam feature should dramatically reduce the amount of spam you
receive, though there is no 100% effective method of catching spam and we
do not guarantee that all spam will be detected and/or eliminated.
We also cannot 100% assure that legitimate email may be not be tagged as
spam and cannot be held liable for an email that may be filtered as a
result of being identified as a virus or spam.
The best and most effective anti-spam solutions combine server-side
and user-side measures. Please follow the instructions below to
setup your preferred email program and achieve best results with
these anti-spam and anti-virus tools.
Wrenware has introduced a new system for scanning and identifying
incoming mail containing unsolicited messages and common viruses . The
anti-virus system will function by stripping attachments that are common
virus deployment files and identify viruses by signature. The spam
filtering system will tag messages which the
system identifies as spam. The filtering system contains some major
components in order to function.
Incoming Mail Handler
All incoming mail is queued for processing by our Mail-Scanning Servers.
Servers connecting to the Wrenware network are checked for listing on
two DNS blacklists; Spamhaus and ORDB (
see further below). A third in-house
blacklist will be constructed over the coming months which will
list common spam/virus delivery platforms residing on dynamic IP
addresses, such as those provided by ISPs for ADSL and home cable
connections. This blacklist will not affect customers who send mail
through our SMTP system, it will only block sources of email
who have no business sending email directly via our servers.
Scanners
Mail queued for scanning is scanned in parallel by a Virus Scanner and
by SpamAssasin (Spam tagging utility).
Firstly, the Virus Scanner will
identify Virus signatures contained in attachments and delete the entire
message for positive matches to common Viruses, such as Sobig.F and
Blaster. Other attachments that could potentially be a Virus (e.g.
filename.scr), will be removed but the message text will still be
delivered to the mailbox. (If you are sent legitimate attachments that
are being stripped by the Virus Scanner, you may need to inform the
sender to zip or archive the file first).
Secondly, the mail
server performs a test of the entire message and scores the message
according to headers/text found, dictionary of known spam phrases and
the overall format of the message. A score of 5 or more will identify
the message as possible spam. No single characteristic positively
identifies a message as Spam, but rather a combination of
characteristics is scored and added to give a message an overall spam
score.
Spam Filtering
Spam filtering is by no means an exact science. Only approximations are
made, there is no black and white method of identifying spam. It is
inevitable that some spam will slip through the filters, and legitimate
email may be incorrectly identified as spam. Our system attempts to
negate the impact of potential mixing at the spam/non-spam threshold by
giving the user overall control of mail filtering.
The system will
identify spam messages which score above a 5 on the spam scale. The
subject line of the message will be modified indicating the score,
enabling you to configure your email client to filter/delete messages
matching a score that you can define. i.e. "Subject: [Spam Score
sssssss]" The "s" characters indicate the Spam score of the message. So 5
"s" characters indicate a Spam score of 5, the minimum score for possible
Spam. A score of 15 indicates that the message is blatant spam
and the message should be deleted.
Spam Scoring Table
Score | Rating |
5 |
sssss | Low Spam score. Two or more spam characteristics found. Could be legitimate email but more likely to be spam. |
6 |
ssssss | |
7 |
sssssss | |
8 |
ssssssss | Medium Spam Score. A number of characteristics identifies this message as spam. |
9 |
sssssssss | |
10 |
ssssssssss | High Spam Score. Numerous spam characteristics, very likely to be spam. |
11 |
sssssssssss | |
12 |
ssssssssssss | High Spam Score. Very positive hit identifying spam characteristics. Definitely spam. |
13 |
sssssssssssss | |
14 |
ssssssssssssss | |
15 |
sssssssssssssss | Extremely High Spam Score. All common spam characteristics identified. Message should be deleted. The mail server will not deliver spam with a score higher than 15. |
Things to consider
You can modify your rules after getting a feel for what kind of scores
your incoming mail is receiving. You might find you will have to alter
your settings if you are getting Spam mixed with your email or
legitimate email is being deleted or moved because your Spam score
threshold is too low.
Virus Filtering
The virus scanner will be able to identify common viruses and silently
delete messages containing such viruses. Not all viruses will be
silently deleted but files containing viruses will be stripped and
potential virus containers will also be stripped from the message
identified by file extension. Common disallowed file types
are:
.reg .scr .exe .pif .com .vb
Files such as Microsoft Office documents, pdf files and images should not
be affected. If you have questions about the complete list of files we
have configured to be stripped, please contact us at
support@wrenware.net.
What should I do when my legitimate email is being tagged as spam?
First check the full headers of the message. You should see a header
called:
X-scanner.giga-sj-001.net-MailScanner-SpamCheck:
Below
this header, you will see a brief summary of all the characteristics
which positively identified the message as spam. They will probably
appear a little cryptic, but they may give you some insight as to why
the message was tagged.
If only two characteristics are listed and the
score is 5, then it's likely a once only false positive - adjusting your
client side mail filters to 6 or 7 should prevent these messages from
being deleted or segregated.
What should I do when I receive notification of virus or attachment removal?
A message which has had a potentially dangerous attachment removed will
be identified by a modified subject line containing the following:
[Alert - dangerous attachment removed]
or if a virus was positively identified:
[Alert - virus was removed]
If you recognize the sender, you can notify him/her that their
attachment did not get through, find out what it was and once you have
both determined it is safe, have the sender place the file in a zip file
and resend. We recommend that you do not attempt to notify unknown senders,
whose messages are positively identified as viruses, as it is likely that
the senders address was faked by the virus to hide its true source. If
you are receiving many of the above messages over a short time frame,
please contact us at
support@wrenware.net straight away with a copy of the message and we will
attempt to filter the source, or identify the new strain and add it to
our blocking system.
What should I do when a genuine attachment gets stripped?
See above.
How the notification system works - senders don't get notified, recipients do.
If it is a known virus, such as Klez or Sobig, the message and attachment
will be silently deleted at the server and no notification will be sent to
either the sender or recipient.
When an attachment is found that is not a known virus, but appears to have a
virus attachment, the attachment will be removed but the body of the message
will still be sent to the recipient. The message will also include notification
that an attachment has been removed. The sender will not be notified.
Common viruses that are silently deleted are:
Klez Yaha-E Bugbear Braid-A WinEvar Palyh Sobig Fizzer Ganda Mimail Gibe-F
We will add viruses to the list that propagate quickly and are massively
annoying as they are released.
What is Spamhaus, what is ORDB.org?
Spamhaus.org SBL is a carefully compiled and researched list of known
spamming organizations and providers that abuse the email system
without regard for internet users in general. If a contact attempts to
send email to you, and it bounces back, referring to Spamhaus.org, then
your contact or their ISP/Network Administrator will need to go to
Spamhaus for an explanation of why their IP address or mail server is
listed. Unfortunately, we cannot de-list servers or addresses so please
don't ask us to allow an IP address or mail server through. For
more information, please refer to
http://spamhaus.org.
ORDB.org is a database of known open relay mail servers. An open relay
mail server is a misconfigured mail server which can be used by spammers
to send spam and avoid detection. A spammer will commonly use multiple
open relay mail servers to send spam, making filtering difficult by
administrators to block such messages. If a contact attempts to
send email to you, and it bounces back, referring to Spamhaus.org, then
your contact or their ISP/Network Administrator will need to go to
http://ordb.org to ascertain
why their IP address or mail server is
listed. Usually by rectifying the problem on the senders side, and
notifying ORDB that the server is no longer open relay will result in a
de-listing within about 24 hours. Unfortunately, we cannot de-list
servers or addresses so please don't ask us to allow an IP address or
mail server through. For more
information, please refer to
http://ordb.org/about/.
Email Client Setup Guides
The following guides will show you how to setup Microsoft
Outlook, Outlook Express, Eudora & Webmail. Your
requirements dealing with Spam will likely vary to what is
illustrated here.
Microsoft Outlook
Open Microsoft Outlook and click on Tools --> Rules Wizard...
You will be presented with the Rules Wizard dialog box.
Click the 'New...' button in the top right-hand corner.
Select 'Check messages when they arrive' (the first option)
and click the 'Next >' button.
Tick the 'with specific words in the subject' condition in
the top select field. In the 'Rule Description' field click
on 'specific words' to bring up a new dialog.
In the Search Text dialog enter 'Spam Score sssss' in the
'Add new:' input field. (Note: number of 's' characters
refers to the Spam score threshold. The more 's' characters
the higher the severity of the email being considered Spam.
Refer to the above Spam scoring table.) Click the 'Add' button
and click 'OK'.
Click the 'Next >' button.
Tick 'move it to the specified folder' to in the top select box.
Click on 'specified' in the bottom select box to bring up a new dialog box.
Create a new mail folder by clicking on the 'New...' button.
Enter a name for your email folder in the 'Name:' field and click 'OK'.
Click the 'Next >' button.
Click 'Next >' again.
Tick the 'Run this rule now...' tickbox if you have mail that needs to
be filtered in you inbox and click finish.
All done.
Microsoft Outlook Express
Open Outlook Express and go to Tools --> Message Rules --> Mail.
This will bring up the message rules dialog. Click on the New...
button to create a new message rule.
1. (Select the Conditions for your rule:)
Check 'Where the Subject line contains specific words'.
2. (Select the Actions for your rule:)
What would you like done with the questionable email? There are a
few options.
Move it to a specified folder
Highlight it with color
Delete it from server
We ask that you do not leave Spam (or legitimate email) on the server
as it will cause congestion over a period of time and result in sluggish
mail services for everyone.
3. (Rule Description:)
Click on 'Subject contains specific words' and enter 'Spam Score sssss'
(Note: number of 's' characters refers to the Spam score threshold. The
more 's' characters the higher the severity of the email being considered
Spam. Refer to the above Spam scoring table.)
If you selected 'Move it to the specified folder', click on 'specified'.
Select the folder you would like the questionable email to go to. If you do
not have a folder, just create one by pressing 'new folder' and enter a name
for it. Select it and press the OK button. Press OK again.
Your rules will now be effective the next time you download your email in Outlook Express.
Eudora
Open Eudora and from the drop down menu, click on Tools --> Filters.
You will be greeted with a filter dialog within the main Eudora interface.
Click the New button at the bottom of the dialog box.
In the Match pane down the right hand side, check the Incoming check box.
From the Header select box, choose 'Subject'. Select 'contains' from the
Identifier field and enter 'Spam Score sssss' into the following input box.
(Note: number of 's' characters refers to the Spam score threshold.
The more 's' characters the higher the severity of the email being considered
Spam. Refer to the above Spam scoring table.)
In the Action Pane, select 'Transfer To' from the drop down box if you would
like to move suspect email to another folder. However you can select 'Junk'
to move it directly to the junk folder.
You can create a new email folder to send your suspect email to, or send it
directly to 'Junk'. Click the In Button and select the appropriate
folder or create a new one.
Mail filters have now been setup for Eudora.
MacOS Mail
Open Mail and click on Mail --> Preferences...
You will be presented with the Preferences window.
Click the 'Rules' button in the top right-hand corner.
You will be presented with the Rules dialog box.
Click the 'Add Rule' button on the right-hand side of the window.
Enter a new 'Description' for this rule.
Click on the 'From' drop-down box and select 'Subject' from the list.
Click in the textbox to the right of the 'Contains' drop-down list and
enter '[Spam Score sssss]' into the textbox.
(Note: number of 's' characters refers to the Spam score threshold.
The more 's' characters the higher the severity of the email being considered
Spam. Refer to the above Spam scoring table.)
Make sure that the action is set to 'Transfer Message' to the mailbox 'Junk',
if this is not the case, change the drop-down lists to set this action the press
the 'OK' button.
The new rule will appear in the list of defined rules. Click the red close
button to exit the window.
All done.