Colby College uses multiple techniques to prevent the delivery of spam and viruses into a person's INBOX.
The Colby e-mail server uses Sophos and ClamAV anti-virus software from within MailScanner to keep viruses at bay. While not perfect, MailScanner has successfully prevented e-mail propagated virus outbreaks at Colby College since 2003. However, viruses can propagate by many other methods, so you must keep anti-virus software installed and up-to-date on your personal computer.
Spam is a growing problem for both Internet service providers and the person receiving it. Colby College uses multiple techniques to combat spam delivery:
- IP number blocking: In rare instances, large-scale spam sites will be blocked at the kernel level by IP filtering. Internet IP packets from the offending site will be dropped before e-mail software ever sees the data stream. From the remote site's point of view, Colby's e-mail server is down or unreachable.
- DNS RBL's: Colby uses one RBL from within sendmail, and others from within MailScanner. The one used by sendmail is the SpamHaus SBL+XBL list (www.spamhaus.org). If an IP number to a remote site appears in this list, then ALL e-mail from that site is rejected. The spammer, er sender, is notified with a rejection message referring to the appropriate RBL. MailScanner uses RBL lists in its SpamAssassin tests to increase the spam score of e-mails.
- Sendmail: Colby College uses the public-domain version of sendmail as its MTA. Sendmail has numerous anti-spam features built into it, nearly all of which are in use by Colby.
- MailScanner: This package is described in more detail below.
- Procmail: Sendmail hands a message to procmail for local delivery into a person's INBOX. Unlike other local delivery agents, procmail is programmable and can make decisions about which INBOX to deliver a message to. A few ad-hoc anti-spam tests are used within procmail to prevent spam delivery if other methods upstream have failed. Procmail is mostly used for "quick-fix" temporary spam-blocks if other methods have failed and there is a spam (or virus) flood coming in.
- ITS can and will make changes to our e-mail server configuration without notice to further tune anti-spam features and to improve performance of our e-mail system.
The MailScanner software is the key component of Colby's anti-virus and anti-spam measures with e-mail. It is highly configurable and flexible code that stands between two instances of sendmail. The first instance of sendmail tests a message against its own RBL's and basic anti-spam measures, then deposits the message in a queue for MailScanner to pick up. MailScanner picks up messages in batches and then performs numerous anti-virus and anti-spam tests on each message. Each message is marked for delivery, rejection, quarantine, deletion, or modification depending on the test results. Messages marked for delivery are placed in a second queue for a second instance of sendmail to pick up and hand on to procmail for local delivery.
A PDF illustration of the flow of a message through MailScanner is available here. SpamAssassin is the major anti-spam component of MailScanner and performs many tests on both the mail headers and the message body to determine if a message might be spam. It assigns a score to each message, where zero is definitely not spam and larger positive numbers indicate a greater likelihood that the message is spam. As configured at Colby, MailScanner will deliver any (non-virus) message having a score of 5.0 without modification. For a score greater than 5.0 and less than 10.0, the subject line of the message is modified to include "{Spam.}" at the start of the subject. This string can be used with e-mail client filters to trap possible spam. Any message with a spam score of 10.0 or greater is silently discarded.
After spam analysis, MailScanner then runs the message through anti-virus tests. MailScanner can use up to 14 different anti-virus engines on a message and its attachments (Colby uses two, Sophos and ClamAV). Any message with a known virus is silently discarded. MailScanner also examines attachments by file type and file naming conventions to determine if an attachment is a "dangerous" type. Most executable files, especially files that will execute on a Windows computer, are considered dangerous and will be rejected by MailScanner. Files with "dangerous" suffixes indicating that they are executable files, e.g. files ending in .exe, .bat, .com and the like will also be rejected by MailScanner.
MailScanner is also smart enough to recognize most types of file packaging and compression that can be done to files (or groups of files), and MailScanner will attempt to pick apart or uncompress such attachments in order to look for dangerous files within. Files that are tarred, zipped, compressed, rar'ed, and/or arj'ed can be examined for malicious content. TNEF files can also be examined.
If you need to e-mail executables or "dangerous" files, then zip the files up, encrypt the resulting zipfile, and e-mail that. MailScanner will have no way to examine the contents of an encrypted zip file, and will send it on. Of course, you will have to e-mail the encryption password to the recipient.
MailScanner also examines the body of a message for URL's (links to webpages) and attempts to warn you about either phishing scams or dangerous URL links that might attempt to download software to your computer. MailScanner will disarm dangerous links and note this action in the subject line with "{Disarmed}".
MailScanner will only deliver a message to the downstream instance of sendmail (for final delivery) if it is virus-free, has a spam score less than 10.0, and does not contain any dangerous attachments.
You are bound to get spam sooner or later. Here are some tips to minimize your spam:
- DO NOT REPLY TO THE SPAM! You are not only wasting your time, you are telling spammers that they have a fish on the hook. You will get more spam as a result. If the spam says something like "send e-mail to [blah] for removal" or "click here to be removed from our list", don't believe it.
- Do not put your e-mail address on web pages, where your address can be harvested by web crawler software. If you do want your address shown, either put it there as a graphic instead of text, or "munge" it. For example, write it as "joeblow at colby.edu" instead of joeblow@colby.edu.
- Likewise, be very judicious in entering your e-mail address at websites. You may really want information from the site, but they might also use your address for other purposes (or sell it). Read the site's privacy policy before giving out your address. If the site does not have one, then run away.
- Use e-mail filters on your e-mail client. Eudora, for instance, allows you to filter e-mail. You will want to filter for MailScanner's warning of {Spam.} on the subject line. You are advised to store alleged spam into a "Junk" folder or the like, and not just trash it. Check this folder occasionally to make sure legitimate messages didn't land there, then trash the contents.
- Fight back! Report spam that you receive to DNS blacklists (DNS RBLs) so that sites can block the spam, and so administrators at the offending ISP can terminate the spam. You can report spam to Spamcop for example.
