Set-up for Email

Reading email
Forwarding email Updated
Sending email
Spam filtering implementing SpamAssassin
Virus protection
Email recovery		CSIM Logo WelcomeCourses
Faculty, Student, Staff
Projects and reports
Conferences, workshop and seminars
Laboratories and reasearch facilities
Information related to CSIM
Information non-related to CSIM
Address, map, phone, etc.
Search

Filtering spam

To reduce the annoyance of unsollicited commercial email (spam), incoming email are refused when they come from an email gateway with open relaying.

Some email gateways are set-up to accept and process emails with sender and recipient located outside of their own domain (the red arrow on the graph). This is known as open relay. A spamer can send email to an open relay, that will then be forwarded to the final recipient. It help to hide spamer's tracks.

A list of email gateways with open relay is kept by MAPS/RBL. CSIM email server will refuse any incoming email that originates from a server on the list.

Starting on February 1st, 2002, incoming email is also filtered by SpamAssassin (SA). SA combines recognition of certain expressions, patern of delivery, and databases of recognized spam messages.

Each rule in SA gives some points to the email message. When a message reach the score of 5, it is considered to be likely to be spam.

During the test period, in February 2002, only very few email messages (less than 1 ‰) where falsely classified as spam when they were valid messages.

Email that is detected as possible spam is not delivered to your mailbox, but is instead quarantined in a separate directory. Once a day, you will receive a summary of the messages that have been quarantined. The summary gives the name of the sender, the subject and the date, as well as an identifier of the quarantined messages, messages are sorted by level of spam-iness:

  Date: Mon, 18 Mar 2002 16:42:35 +0700 (ICT) From: quaratine@cs.ait.ac.th To: on@cs.ait.ac.th Reply-To: quarantine@cs.ait.ac.th Subject: Quarantined messages You have received email(s) that is suspicious spam and was quarantined. Quarantined messages are kept for 30 days before they are automatically removed (http://www.cs.ait.ac.th/laboratory/email/spam.shtml#spam). If you wish to see any of the following message, reply to this email,including the lines with the File: information below. The word File: MUST be in your reply message, along with the filename. 1 File: on-spam.200203181540.77885 Spam Level: 9.3 Date: Mon, 18 Mar 2002 15:40:00 +0700 (ICT) From: Mail Delivery Subsystem <MAILER-DAEMON> Subject: Postmaster notify: see transcript for details . . .  
Example of summary for quarantined spam

Note: quarantined messages are kept for 30 days only, after that, they are automatically deleted.

You can recover any quarantined message, before the delay of 30 days expires, by sending an email to quarantine@cs.ait.ac.th where you mention the identifier of the message you want to recover:

  To: quarantine@cs.ait.ac.th In-reply-to: <200203180942.g2I9gZM82106@mail.cs.ait.ac.th> (quaratine@cs.ait.ac.th) Subject: Re: Quarantined messages References: <200203180942.g2I9gZM82106@mail.cs.ait.ac.th> --text follows this line-- > 1 File: on-spam.200203181540.77885 > Spam Level: 9.3 > Date: Mon, 18 Mar 2002 15:40:00 +0700 (ICT) > From: Mail Delivery Subsystem <MAILER-DAEMON> > Subject: Postmaster notify: see transcript for details  
Example of email send for recovering a quarantined message

It will be added to your mailbox immediately. The message will contain the explanation by SA why it has been detected as spam:

  From: Olivier Nicole <on> Date: Fri, 1 Feb 2002 11:44:32 +0700 (ICT) To: on Subject: test X-Virus-Scanned: by AMaViS [amavisd-milter] (http://www.amavis.org/) X-Spam-Status: Yes, hits=8.6 required=5.0 tests=FROM_MALFORMED, TO_MALFORMED,RAZOR_CHECK,FROM_AND_TO_SAME version=2.01 X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 2.01 (devel $Id: SpamAssassin.pm, v 1.61 2002/01/25 04:41:02 jmason Exp $) test 
A spam message with the score assigned by SA

You can also tune some of the features of SpamAssassin. In your home directory, there is a subderictory called .spamassasin that contains the file user_prefs:

  # SpamAssassin user preferences file. See 'man Mail::SpamAssassin::Conf' for # details of what can be tweaked. #* #* Note: this file is never read by SpamAssassin. Instead, it will be copied #* to a user's home directory, allowing them to perform personalised #* customisation. If you want to make changes to the site-wide defaults, #* create a file in /etc/spamassassin or /etc/mail/spamassassin instead. ########################################################################### # How many hits before a mail is considered spam. required_hits 10 # Whitelist and blacklist addresses are now file-glob-style patterns, so # "friend@somewhere.com", "*@isp.com", or "*.domain.net" will all work. # whitelist_from someone@somewhere.com # Add your own customised scores for some tests below. The default scores are # read from the installed spamassassin rules files, but you can override them # here. To see the list of tests and their default scores, go to # http://spamassassin.org/tests.html . # # score SYMBOLIC_TEST_NAME n.nn 
A sample of the file ~/.spamassassin/user_prefs

If you change the value required_hits you can tell SpamAssassin to be more or less strict on what is considered to be spam:
required_hits 10
The default threshold is 5.

Note: that you must remove the # at the begining of the line.

You can also add one email address in the whitelist if someone often writes to you and his messages are potentiall marked as spam:
whitelist_from my_friend@hotmail.com

Or you can blacklist and address that would otherwise send spam undetected:
blacklist_from bad_guy@spammer.com

There are many more options that you can configure in order to tune SpamAssassin to detectes spam accurately in your incoming emails. The page about SpamAssassin configuration file describes all the existing features.

Virus scanning

Many viruses are spread through email. To reduce the risk of virus infection, email are checked and quarantined if they are infected. Both incoming and outgoing emails are checked, to protect us from outside, and also to protect outside from a virus we could accidently spread.

CSIM has invested in a virus checking software, by Kaspersky. The virus signature file is updated every two hours in order to guarantee you that the most recent viruses are caught.

To increase the security, a second anti-virus is now running on the email server. This anti-virus is ClamAV an open source anti-virus, known to have good response time to new threats.

AIT has invested in a centralized anti-virus system that you can install on your desktop machine. In case of virus checking, redundancy can only bring more security.

Despite this fact, the systematic virus scanning of email should not prevent you to exert caution when reading email. You should consider the following questions before opening any attachement:

If any of the answer is "no", wait before opening th attachement. Ask the sender if he really emailed that file to you on purpose, and wait for his answer. A little delay is better than being sorry.

Also note that some attachement can have missleading names like image.GIF.exe that looks like an image but is really an executable file (a program). Some email program could even hide the .exe part under the false argument that a filename can only have one extention. In any case, never open a file with a missleading name, such names are forged to have you do something you would not do under normal curcumstances.

You can find some more information about email borne virus in the advisory from CERT.

In the case your machine got infected and you try to send an infected email, the email will not be delivered. Instead you will receive a warning looking like:

  Date: Thu, 25 Oct 2001 10:00:32 +0700 (ICT) From: postmaster To: <on@bazooka.cs.ait.ac.th> Subject: VIRUS IN YOUR MAIL V I R U S A L E R T Our viruschecker found the I-Worm.Sircam.c virus(es) in your email to the following recipient(s): -> <somebody@somewhere.com> Please check your system for viruses, or ask your system administrator to do so. For your reference, here are the headers from your email: ------------------------- BEGIN HEADERS ----------------------------- Received: from localhost (on@localhost) by bazooka.cs.ait.ac.th (8.8.5/8.8.5) with SMTP id JAA10365 for <somebody@somewhere.com>; Thu, 25 Oct 2001 09:58:45 +0700 (ICT) X-Authentication-Warning: bazooka.cs.ait.ac.th: on owned process doing -bs Date: Thu, 25 Oct 2001 09:58:45 +0700 (ICT) From: Olivier Nicole <on@bazooka.cs.ait.ac.th> To: somebody@somewhere.com Message-ID: <Pine.GSO.3.94.1011025095829.8469W-101000@bazooka.cs.ait.ac.th> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="-559023410-1932422408-1003978725=:8469" -------------------------- END HEADERS ------------------------------ 

In such case, it is urgent that you get your machine cleaned.

CSIM home pageWMailAccount managementCSIM LibraryNetwork test toolsSearch CSIM directories
Contact us: Olivier Nicole CSIM    SET    AIT Last update: Aug 2007