Administrative Offices
Office of Information Technology return to Connecticut Community Colleges home page

IT Home Page
Introduction
Policies
Standards
Procedures
Guidelines
Arrow - This section is ONFAQs
Drafts
CT Community Colleges - Information Security - Anti-Spam FAQ
Anti-Spam FAQ

Where can I go for more information?

How does the Anti-Spam software work?

How often do I receive End User Digests?

Why am I receiving multiple End User Digests at one time?

What can I do with an End User Digest?

What types of mail messages show up in the Connection Quarantine?

What types of mail messages show up in the Bounce Management Section?

How long does a message stay in the quarantine?

How much mail is spam vs. not spam?

Why am I still receiving spam in my inbox?

What is the Safe/Blocked Senders List?

How Should the Blocked Senders List be Used?

I used to have Safe/Blocked Senders in my list - where did they go?

What is the check box next to each email address in my Safe/Blocked Senders List?

I've received a message that appears to be from a commnet.edu address and I believe it may not be real. How do I know?

What about lost e-mail?

What kind of attachments are stripped and why?

What does the error: "Message No Longer Available" mean?

Why is there a "quarantine" folder in my Outlook folder list?

Q Where can I go for more information?

A For step-by-step instructions on how to use the End User Digest, refer to the Anti-Spam End User Digest Help document.

For general anti-spam information, refer to the Anti-Spam Information document.

If your question is not answered in this FAQ, contact your local IT department. They will help handle the problem or contact System Office Operations on your behalf to solve the problem.

Q How does the Anti-Spam software work?

A As email enters or exits the Connecticut Community Colleges network via the Internet, it passes through an anti-spam filter. The anti-spam filter uses a complex algorithm to determine if an email is spam or not. As each mail is examined by the algorithm, a spam score is assigned to the message on a scale from 0 (not spam) to 100 (spam). Based on the spam score, an email message is then put into one of four categories:

  • Spam: spam scores between 99 and 100
  • Probable Spam:  spam scores between 80 and 98
  • Maybe Spam:  spam scores between 50 and 79
  • Not Spam:  spam scores between 0 and 49

Besides spam content, mail messages are also checked against a defined set of connection thresholds and criteria. An example of a connection threshold would be if a person on the Internet sent 7,000 copies of an email to commnet.edu users or attempted to open 500 concurrent connections to our mail servers. These would exceed a connection threshold that are defined to protect our mail servers from abuse or denial of service attacks.

Twice a day, you will receive an email message from "SpamDigest@commnet.edu" which contain two sections: the Quarantine and the Connection Quarantine. The Quarantine section contains a list of email messages that have been classified as Probable Spam. The Connection Quarantine section contains a list of email messages that have exceeded connection thresholds or meet other connection criteria. This email message is called an End User Digest. The email messages listed in the End User Digest have been quarantined and have not been delivered to your inbox.

Click here to see a sample End User Digest.

Messages classified as Spam are immediately deleted since they are, without a doubt, spam and there is no need to list them in the End User Digest. Not having spam clog the End User Digest makes it much easier for the end user to identify messages that fall into the middle category of "probable spam". A majority of "probable spam" is still going to be spam, but with a lower spam score, therefore will be listed in the End User Digest to give the end user the ability to review and release messages if desired.

Messages classified as Probable Spam are what you will see in your End User Digest. Messages classified as Maybe Spam and Not Spam are delivered as expected to your inbox.

Q How often do I receive End User Digests?

A You will receive an End User Digest in your inbox twice a day, Monday through Friday at 8:00 AM and 3:00 PM. You will not receive an End User Digest if none of your mail has been determined to be spam or meets any connection criteria (this is an "empty digest").

The End User Digest displays a list of email messages that have been added to your quarantine since the last time you received a digest. They are sorted by their spam score so email messages that are more likely to be spam will be at the bottom of the list.

At anytime, you may request a digest that contains a list of all messages in your quarantine. The Full End User Digest is sorted by the date the email message was received. Steps on how to request a Full End User Digest are outlined in the Anti-Spam End User Digest Help document.

Click here to see a sample End User Digest.

Q Why am I receiving multiple End User Digests at one time?

A If you are a member of a mail distribution list and that list receives spam, all members of the list will get an End User Digest that lists the message that were quarantined for that list. The actual list name (email address) is displayed to the right of the CCC logo at the top of the End User Digest. 

If you receive an End User Digest for a mail distribution list, you should report this to your local IT department. Please provide the actual list name (email address) that is displayed to the right of the CCC logo at the top of the End User Digest. Once this information is provided, the behavior of the mail distribution list will be changed so that members do not receive a separate End User Digest for that list.

Q What can I do with an End User Digest?

A When you receive your End User Digest in your inbox, you can quickly review the subjects, spam scores and the sender’s email address of messages in the quarantine. No further action needs to be taken on the spam that used to clog your inbox. Messages will automatically be removed from your quarantine after 7 days if no action is performed.

If you wish to release a message from your quarantine, you may do so without the aid of a system administrator by following the steps outlined in Anti-Spam End User Digest Help document.

Q What types of mail messages show up in the Connection Quarantine?

A The Connection Quarantine contains mail messages that exceed a connection threshold or meet a particular criteria. Connection thresholds and criteria are defined to protect our mail servers from abuse or denial of service. 

Connection thresholds and criteria are regularly tuned and refined based on current events. Examples of types of connection thresholds and criteria are:

  • Total concurrent connections from a single IP
  • Total messages within a single session
  • Common phishing attempts that aren't yet defined as spam

Since messages found in the Connection Quarantine are not based on the content of the message, it is possible for legitimate mail to appear in the Connection Quarantine if the way in which the user sent the mail is considered an abuse of system resources. For example, if a legitimate Internet user wanted to send a newsletter to all CCC staff members by sending 1,000 messages simultaneously, it would be considered an abuse of our mail resources and be quarantined in the Connection Quarantine.

The Connection Quarantine does not use your Safe list, therefore even though you safelist a user, mail from them may appear in the Connection Quarantine if they exceed defined thresholds or criteria. If this is the case, simple release the mail from the quarantine to receive the email.

Q What types of mail messages show up in the Bounce Management Section?

A The messages that show up in the Bounce Management section are messages sent back to you from spammers who send email spoofed (i.e. forged) as if it came FROM you - not FROM them. When the spam is sent to an email address out on the Internet that doesn't exist, an email bounce will go back to YOU, not back to the spammer. This is called "backscatter". This page describes exactly  how this happens: http://www.commnet.edu/it/security/email-spoofed.asp

Obviously you can ignore these emails, but if you see an email in the bounce management section that appears legitimate, you can release it using the release button.

This feature is very effective in reducing these bounces from going to your inbox as it is possible for spammers to send out hundreds if not thousands of emails with spoofed "from" addresses. That means  you could be inundated with these bounces back to your inbox and you'd have to manually delete them if this feature was not in place. This section would capture all those emails in the Bounce Management section of the Spam Digest and prevent them from being sent to your inbox.

You would only see this section in your Spam Digest if you happen to receive some of these bounces.

Q How long does a message stay in the quarantine?

A Messages in the quarantine will automatically be deleted in 7 days if no action is taken to retrieve the particular message.

Q How much mail is spam vs. not spam?

A Reporting performed on the email flow revealed that currently 98% of our email falls under the two extremes: Spam and Not Spam.  The following 2 charts detail  the breakdown of our email as it relates to the four spam categories in 2008:

Back in 2006, Spam was only 69% of our mail!

With the classification of a majority of our email so easily identifiable as either Spam or Not Spam, the anti-spam solution can immediately make a difference in everyone’s inbox by removing messages determined to definitely be spam and quarantining for review only the mail that probably is spam. Over a period of 30 days, that’s close to a billion messages that do not have to be delivered to our inboxes!

Q Why am I still receiving spam in my inbox?

A Even though the anti-spam software is filtering close to 300,000 messages a day, you may still receive spam that gets classified as Not Spam and is being delivered to your inbox. Our goal in implementing the anti-spam filter, is to reduce the over 90% of mail that is definitely spam and is classified with the highest spam scores. It is impossible to capture 100% of the spam without misclassifying a percentage of real email as spam. This misclassified mail is referred to as a "false positive."

Therefore, you may still receive a small percentage of spam in your inbox that is mislabeled as Not Spam. The anti-spam filter adjusts it’s spam filters over time “learning” new spam definitions and will eventually correctly identify it as Spam. Therefore, you do not need to report spam that you see in your inbox to anyone as a small percentage of spam is expected.

Q What is the Safe/Blocked Senders List?

A Safe and Blocked Senders Lists are lists of email addresses that you want to have handled differently. Email addresses on your Safe List will never be quarantined in your spam quarantine or removed, even if it has been classified as Spam or Probable Spam. Note that safelisted users can appear in your Connection Quarantine because they are exceeding connection thresholds. Safe lists only apply to the spam quarantine section of your End User Digest, not the Connection Quarantine section. Email addresses on your Blocked List will never be sent to your inbox, even if it has been classified as Not Spam.

Click here to see a sample Safe/Blocked Senders List.

You can request a copy of your Safe and Blocked Senders Lists or  add or remove email addresses from either list at any time. Steps on how to request a copy of your Safe/Blocked Senders List and add entries onto either list are outlined in the Anti-Spam End User Digest Help document.

Q How Should the Blocked Senders List be Used?

A Blocked Senders Lists are used to block legitimate but undesirable bulk email (such as newsletters, etc.) that you've tried to opt-out of but continue to receive regular mailings from.

You may think to use Blocked Senders Lists as a way to combat the small amount of spam that makes it's way to your inbox. In fact, Blocked Senders Lists are ineffective when used this way. Because spammers consistently change who the spam comes from (i.e. you may see a spam that comes from vaigar@userpost.isp.district.de one day and cialus2@userpost.isp.district.de the next). Both might appear to come "from" president@commnet.edu and adding the "from" of that spam to your Blocked Senders Lists will not stop future forged spam such as when they make it appear to come "from" vicepresident@commnet.edu. Spammers choose who the message appears to come from out of a hat and it's most likely never going to be the same thing twice so blocking it is ineffective.

The best method to fight that small amount of spam, is to just delete it from your inbox. Over time, the anti-spam software will take care of the spam by learning the characteristics of how it made it past the filter.

Only use the Blocked Senders List as a way to block newsletters, mailing list, etc. that are legitimate (i.e. not spam) but are undesirable. If you wish to add an email to your Blocked Senders List, just copy and paste the email you see in the "from" field from a newsletter email into the list and any mail that appears to be coming from that mail will be blocked in the future.

Q I used to have Safe/Blocked Senders in my list - where did they go?

A In August of 2008, the anti-spam environment was upgraded and the functionality of Blocked Senders List was changed, therefore any Blocked Senders added before August of 2008 were removed at the time of the upgrade. Safe Senders Lists were not affected by the upgrade.

Outside of the upgrade performed in August of 2008, Safe/Blocked Senders Lists may be removed if changes to your account occur in the AD environment. Safe and Blocked Senders lists are attached to your email address in the Anti-Spam user database. Each night, the user database is created from active accounts in the college's AD environment. In order to keep the user database up-to-date when accounts are removed or modified (such as when someone gets married and changes their email address), it is possible for your account to be removed from the user database if it is not found in the AD environment (or is inactive).

When accounts are removed from the Anti-Spam user database, it removes all Safe and Blocked Senders lists for that user as well. If your account is re-added later, you will begin to get End User Digests and be protected by the anti-spam software, yet your Safe and Blocked Senders list are lost from when your account was removed/renamed.

This isn't such a bad thing, because most entries in Blocked Senders Lists age out over time and hence entries you added last year are probably ineffective by now. You would have to recreate your Safe Senders/Blocked Senders List if they are removed.

Q What is the check box next to each email address in my Safe/Blocked Senders List?

A This does not indicate whether an email address in your Safe or Blocked Senders List is active. It is used to select email addresses in order to edit or delete entries from your list.

If you want to edit an email address, check the check box next to the email address and select Edit in the menu bar at the top. You will then be able to edit the selected email address.

If you want to delete a single or multiple email addresses, check the check box next to the email addresses you want to delete and select Delete in the menu bar at the top of the window. All the entries that were selected are then deleted.

Q I've received a message that appears to be from a commnet.edu address and I believe it may not be real. How do I know?

A Some viruses try to trick users into opening an attachment or visiting a website by making an email message appear to come from the user's local system. You may see email messages that appear to come from "administrator@commnet.edu" or "system@commnet.edu" that ask you, for example, to "open the following attachment for your new password so that you can access your files."

Virus writers can make their email appear to come from virtually any email address and can say very convincing things in the body of the email so that you think it is really a legitimate email.

In order to protect us from these tactics, when the anti-spam software detects that a message is being sent to our users from outside our system, but has a "commnet.edu" address as the "From" address, it will send the message onto the end user as an attachment and put the following message in the body of the message:

---------------------------------------------------------
Do NOT open the attached email without first reading the Anti-Spam FAQ item on this topic found at: http://www.commnet.edu/it/anti-spam-faq.asp#FakeCommnetEdu.

The attached email was sent from outside the CT Community College (CCC) system yet has a "From" address that ends with commnet.edu. This makes it appear as if it originated from inside our system. Under no circumstance will this message show up in an actual message from the CCC system.

If you still have questions or concerns, please contact your local IT department.
-----------------------------------------------------------

As noted in the message: under no circumstance will this message show up in an actual message from the CCC system. Any email that appears to come from a "system like" commnet.edu account that also contains this message, is most likely fraudulent.

Since there are legitimate situations where this may occur (for example when forwarding articles from newspaper websites), we allow the end user to decide what to do with these types of messages instead of assuming they are all fraudulent.

The original email message (a .msg file attachment) is attached to this warning and can be opened. As always, you should be cautious of any attachments the original message has and should make an educated decision on whether to open the attachment or not.

Q What about lost e-mail?

A Depending on which spam category your email message was placed into, your message will either be found in your inbox or in your quarantine. Only mail messages that have the highest spam scores (99 or 100) are removed from the system. Any messages that maybe spam or could be spam are sent to your quarantine for review. You will receive an End User Digest in your inbox twice a day with all your messages that are in your quarantine since you last received a digest, if any.

If you identify a message in the quarantine that is not spam, you can release it from the quarantine area and it will be sent to your inbox. If you want, you can also add users to your own Safe list so that email from these users will never be tagged as spam. Steps to perform both of these actions are outlined in the Anti-Spam End User Digest Help document.

Q What kind of attachments are stripped and why?

A The Anti-spam software strips very large attachments as well as certain file types that are known to be inherently insecure or are commonly used to spread viruses. Most of the file types are not commonly used in typical email communications for sending pictures, videos, etc. They are typically system files such as .dll, .inf, .pif or .scr files so stripping these files most likely will not effect everyday email communication. But you may run into certain file types such as .mdb files that are used in classroom settings that are also stripped due to their inherent insecurity.

For security reasons, we do not list all the file types that will be stripped, yet you will know if it was stripped because a footer will be added to the message body similar to this text:

------------------------------------------------------------
NOTE: This email included an attachment that has been stripped due to the inherent security risk associated with certain types of file.

For more information see the Anti-Spam FAQ item: http://www.commnet.edu/it/security/anti-spam-faq.asp#Attachments
------------------------------------------------------------

The software will strip these files based on the type of file that it is, not just the extension used to name the file. Therefore, renaming the files to another extension will NOT allow it to pass the filter.

If a compressed archive (.zip, .rar) contains files that will be stripped, the entire archive will be removed so compressing them will NOT allow it to pass the filter.  Due to how the software identifies files that will be stripped, a footer (shown above) will be appended to the email message for each file it found in the archive.

Use another method to transport these files such as FTP or HTTP if there is a need to get these files to/from a CCC system.

Q What does the error: "Message No Longer Available" mean?

A You are trying to release a message that no longer exists in your quarantine. Messages are removed from your quarantine after 7 days and you cannot release them anymore. To see what messages are available for releasing, request a Full End User Digest.  Steps on how to request a Full End User Digest are outlined in the Anti-Spam End User Digest Help document.

Q Why is there a "quarantine" folder in my Outlook folder list?

A You may have a folder labeled "quarantine" in your Outlook folder list if your Outlook anti-virus software is configured to use such a folder. Having this in your Outlook folder list is a result of an Outlook anti-virus product not this anti-spam software, this is not the same quarantine that is referred to in these documents.

Your anti-spam quarantine resides on the anti-spam server and not in your Outlook folders.  The only access you have to your anti-spam quarantine is through your End User Digests that are emailed to you.
 
 
 
   

    © Copyright Connecticut Community Colleges 61 Woodland Street Hartford, CT 06105 860-244-7600