Computing Facilities    links to the SCS and CMU home pages Carnegie Mellon School of Computer Science Carnegie Mellon University
 
Advanced search tips 
 Documentation
 » Introduction to Facilities 
 » Accounts & passwords 
 » AFS 
 » Application software 
 » AV help 
 » Backups & restores 
 » Calendaring 
 » E-mail 
 » Networking 
 » Printing 
 » Purchasing 
 » Resource management 
 » Security 
 » Software licensing 
 » Support charges 
 » Web publishing 
 » Your health 
 » Mac support 
 » Linux support 
 » Windows PC support 

Server-side virus & spam filtering

The SCS Corvid e-mail system features fully integrated antiSpam and antiVirus processing. These features are provided by "PureMessage," a commercial product from Sophos Corporation that scans all incoming mail for both forms of infection.

AntiSpam Services

Messages arriving at the SCS mail machines (whether destined for the Corvid servers or for an individual mail machine) are scanned by the PureMessage package for spam characteristics. PureMessage uses many different traits to identify spam, including:
  • Keywords and phrases
  • Identity of the sending site and user
  • Presence of attachments and the size of the message
PureMessage estimates the probabilty that a message is spam and, if that value exceeds 50%, adds an identifying line to the message headers. The new line(s) will always begin with "X-spam-Warning" and include the calculated probability of the message being spam.

Once the message is tagged with this header, it is delivered to the intended user. At that point, the user can either act on the X-spam-Warning or not. Typically, the user will want to either refile the message into their spam folder or discard it entirely. This can be done either through a Sieve script on the Corvid back end server, or through a mail filter in the e-mail client software.

By default, when SCS Facilities sets up a new Corvid account, we install a Sieve script to refile suspected spam into the user's "SPAM" folder. [Note the uppercase folder name] We strongly encourage users to inspect their spam folder periodically to insure that nonspam messages were not accidentally refiled there and to clean out old, known spam messages. We do not recommend that users automatically delete messages that are spam.

Reporting mistagged mail

You can report spam that gets through PureMessage to: <is-spam@labs.sophos.com>. Similarly, to submit false positives, send mail erroneously tagged as spam to: <not-spam@labs.sophos.com>. In either case, send the complete message as an attachment, thereby including all "Received:" headers, so that SophosLabs can analyze your sample.

To forward ("bounce") suspect email:

  • From Mozilla Thunderbird:
    1. Select the spam sample
    2. From the toolbar, choose "Message" > "Forward as" > "Attachment"
    3. Add the appropriate address to the recipient list
    4. Send the email
  • From Microsoft Outlook:
    1. Create a new email message addressed to the appropriate address, given above.
    2. Drag and drop your email sample from the inbox to the new message
    3. Send your message
  • From other email clients:
    1. Contact Sophos support before sending your sample
    2. In general, use the "Forward as Attachment" strategy
Thunderbird users can simplify the submission process by installing the "mailredirect" plugin, which adds a new option to the client's menubar. The Macintosh Mail.App client provides a builtin "Redirect message" option, and Pine (on Fedora-based Linux platforms) also offers bounce functionality.

AntiVirus Services

In a manner similar to the antiSpam services, the PureMessage antiVirus service scans all incoming mail for known virus signatures (which list is updated regularly). On detecting a virus, PureMessage adds the term "[PMX:Virus]" at the beginning of the message's "Subject:" header. The virus part of the message is then removed, and an explanatory text is added to summarize what happened. Any "nonviral" message text remains unchanged.

By default, messages that have been detected as having a virus are not deleted or refiled, since the viruses have been removed and the messages are no longer dangerous.