UC Home Maps     A-Z Index Web Search People Search UC Tools  
UCit Home UCit Home   UC Home

 

Keeping Spam Out of Your E-Mail


Spam is a major issue at every large organization - and the university is no exception. UC has a solution in place to protect us all from the majority of spam messages, but for the solution to be most effective, you need do something as well.

UC's spam filter scans all incoming e-mail messages and tags each with a score from 0 to 300, indicating the likelihood that the message is spam. The system removes items with score of 300; that mail never reaches your e-mail inbox. Items that score in an intermediate range, between 50 and 299, are "most likely" spam, but are not removed as there is a chance they are legitimate.

You can set up a filter in your local e-mail client to send the "possibly spam" messages to a junk mail folder. After spending about five minutes to set up a filter, you should notice an immediate reduction in the amount of incoming spam. Periodically, you will want to go through your junk mail folder to move any legitimate messages to your inbox, and empty out the junk mail folder.

Our good friends in the Information Security department have created step-by-step instructions for setting up spam filters.

For more technical details on the spam-blocking technologies we employ here, please read on.


What is Spam?

Spam is unsolicited commercial e-mail or unsolicited bulk e-mail. Typically, a spammer buys or steals lists of e-mail addresses, or harvests the addresses from the Internet. If your e-mail address appears in a newsgroup, a web site, a chat room, or in an online membership directory, it may find its way onto these lists. The spammer then uses software to send thousands or millions of messages. Gartner Inc., a consulting and research firm, has identified four types of spam, with the first two accounting for 25% of the e-mail messages on the Internet through 2002:
  1. Pure-trash spam (e.g., fraudulent schemes, invalid senders, ads from porn web sites, etc.)
  2. Chain letters, urban legends, and hoaxes
  3. Honest individuals or businesses trying to make a living ("junk mail")
  4. Occupational spam from colleagues (e.g., from LISTSERVes)

What is E-Mail Spoofing?

E-Mail spoofing is the deliberate forging of a sender's e-mail address. The culprit pretends to be another person you may know or uses a name you may trust, for example:  @UC.Edu.

What are Phishing and Pharming?

Phishing attacks use spoofed e-mail messages and fraudulent web sites designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords, and social security numbers.

Pharming uses the same kind of spoofed sites, but uses spyware to redirect users from real web sites to the fraudulent sites, typically via DNS-hijacking. By hijacking the trusted brands of well-known banks, online retailers, and credit card companies, phishers are able to convince unwary recipients to respond to them.

What Should I Do When I Receive Spam E-Mail?

  • Delete spam e-mail.
  • Do not send an unsubscribe message to the sender. Pure-trash spammers use this to confirm the validity of an e-mail address.
  • Refrain from clicking on any links. Clicking on web links may expose your computer to a virus.

What Can I Do to Avoid Receiving Spam E-Mail?

  • Never reply to spam.
  • Spam may include "remove me" or "unsubscribe" links. A click may confirm that yours is an active address.
  • The "From:" address may be spoofed or forged so replying to the apparent originator will not work.
  • Be very cautious about displaying your e-mail address in newsgroups, chat rooms, web sites, or online directories. Think carefully before you post to a Usenet newsgroup. Subscribe only to essential discussion lists, and ensure that they are moderated.
  • If you are thinking of filling out a form on a web site, check the site's privacy policy first to be sure it uses secure technology, and that the company does not share e-mail addresses with others. If the site doesn't have a privacy policy that describes this to your satisfaction, consider not using that service.
  • Learn how to filter junk and adult content e-mail. Each e-mail client has its own filtering processes. These processes usually include an automated filtering process maintained by the client itself or a user-specified filtering process where the user defines the filtering rules. Also, most e-mail clients have options for creating lists of blocked senders and safe senders to control messages at a very personal level. Check Help for your e-mail client or contact the UCit Help Desk at 556-HELP (4357) for instructions on setting up filters or tips on managing junk mail with your e-mail client.

Laws Governing Spam

The US Federal Government and the State of Ohio have introduced laws to regulate the transmission of e-mail advertisements.

  • CAN-SPAM Act of 2003. This bill was signed by the President on December 16, 2003, and took effect on January 1, 2004. The Controlling the Assault of Non-Solicited Pornography and Marketing Act requires unsolicited commercial e-mail messages to be labeled (though not by a standard method) and to include opt-out instructions and the sender's physical address. It prohibits the use of deceptive subject lines and false headers in such messages. The Federal Trade Commission is authorized (but not required) to establish a "do-not-email" registry.

    http://www.spamlaws.com/federal/can-spam.shtml

  • An Ohio law approved in August 2002 (effective November 2002) requires unsolicited commercial e-mail messages to contain the sender's name, address, and e-mail address, along with opt-out instructions, and requires senders to honor opt-out requests. These requirements do not apply to messages sent based upon a "direct referral" from another person. It is illegal to forge the sender's address or other routing information in commercial e-mail messages. The law also enables a provider to sue a sender of commercial e-mail for violating the provider's policies if (1.) the sender had actual notice of such policies, or (2.) the policies were posted on the provider's web site and were communicated electronically to the sender's computer.

    http://www.spamlaws.com/state/index.shtml

    http://www.spamlaws.com/state/oh.shtml

What Is UCit Doing To Protect Users From Spam E-mail?

95% of all spam coming into the university is detected by some aspect of UCit's anti-spam monitoring.

If you use the Internet, you will get some unsolicited e-mail. Users have asked UCit to do something to control spam. We have introduced spam control on several fronts. Which spam detection devices block the most spam? What percentage of incoming messages are dropped? What percentage of incoming messages are delivered to your e-mail box? You can find the answers to these questions in the information presented here.

  • Rapid Anti-Spam Drops
42% of all university e-mail messages are detected as spam by Rapid Anti-Spam and dropped.

The Rapid Anti-Spam system monitors all e-mail entering the university. Basing its decisions on a sophisticated analytical method, the system tags message headers with scores from 0 to 300, indicating the probability of the message being spam. Any e-mail message scored at 300 is decidedly spam. All messages with this score are dropped, preventing a large percentage of spam from reaching the mailboxes of university e-mail users.

  • Spam Alert Services (RBL Drops)
5% of all university e-mail messages are detected as spam by these spam alert services and as a result are dropped.

UCit has subscribed to two spam alert services known as Spamhaus and SpamCop. Both services track the Internet's Spammers, Spam Gangs, and Spam Services, providing dependable real-time anti-spam protection for Internet networks. They both work with Law Enforcement to identify and pursue spammers worldwide. Specifically, these services identify and tag any e-mail that comes from an IP address listed on an RBL, a Realtime Blackhole List. Spamhaus and SpamCop maintain these lists of IP addresses whose owners refuse to stop the proliferation of spam.

UCit deployed the Spamhaus spam management solution in September 2004. At that time, we intended for each user to filter the RBL-tagged e-mail using published filtering instructions. However, in December 2004, it became necessary for UCit to block RBL-tagged messages deemed as spam from entering the university e-mail system. This move prevents spam from reaching university e-mail boxes for all users.

UCit decided to block RBL-tagged messages because of escalating numbers of spam messages, which ranged from 30,000 to 500,000 per day. Users saw the effects of this in network slowdowns and even brief stoppages. UCit took this action to address these attacks and prevent the crippling of our e-mail systems.

In an effort to block even more spam, UCit E-mail Services implemented a second spam alert service, SpamCop, in early Summer 2005.

  • UCit-Lists Drops
2% of the university's e-mail messages are detected as spam by UCit-maintained lists of reported spam and are dropped from the delivery queues.

Over time, as University faculty, staff, and students have reported spam, UCit has maintained lists of servers that are responsible for sending spam and subject lines for messages that are known spam. UCit blocks any IP where spamming has been reported if there have been at least twenty complaints about a particular spammer and if we are provided with the original Internet Headers. Specifically, UCit can do the following:

  1. Contact the ISP hosting the account and lodge a formal complaint.
  2. Initiate a block on the spammer's "From:" address. (Usually the header is forged and will change.)
  3. Initiate a block on the corresponding IP address of the system from which the spam originated.
  4. Initiate a block on the domain (multiple IPs) from which the spam originated. Please Note: The blocking of IP addresses and domains can result in the blocking of legitimate mail and is used only in extreme circumstances.
Now, with the improvements made by the implementation of other spam control devices, these lists are becoming less and less important, but they are still effective in catching some level of spam at the university. Because the reports came from university constituents, these messages have always been dropped. This practice continues, although it is hoped that other spam control efforts will eventually replace this level of service.
  • Rapid Anti-Spam Tags
Another 15-20% of your spam can be controlled through the use of filters set up in your e-mail client.

The Rapid Anti-Spam product provides another spam control device in addition to indicating what spam can be dropped. Because this product scores any message that has the potential of being spam, any message with a score from 50-299 is also tagged with a UCE (Unsolicited Commercial E-mail) score. This tag gives an individual e-mail user the option of managing spam by setting up a filter in his or her e-mail client. After defining a folder for spam, the user can have messages moved to the spam folder by setting up a simple filter. The user can then review messages that were moved to the spam folder, verifying that all of them are spam and none of the messages are needed.

Instructions on how to set up these filters are included in Setting up Filters for Spam Tagged by Rapid Anti-Spam.

  • Controls University Spammers
    UCit disconnects service to any computer on the UC network that sends out spam.
  • Protects UC LISTSERV from Spam
    When the LISTSERV determines that a message is spam, it locks out the sender for 48 hours, during which the user is still able to use the LISTSERV normally and to post to mailing lists, but all messages are forwarded to the list owners for human verification. UCit informs the user that this has occurred.
  • Investigates Spam Services
    UCit works with software vendors and explores any new services that could help manage spam for university e-mail users. As new solutions are available, they will be researched and, where appropriate, implemented.

Spam Control

Do not expect that even the combination of all these anti-spam services will catch all spam. The nature of spam makes it impossible for any anti-spam engine to be current all the time. Three circumstances where spam can get past the spam detection devices are when:

  1. a spammer constantly moves operations from one server to another
  2. for short periods of time, the spammer uses "legitimate" services servers for spam mailings, and
  3. a spammer sends spam in small batches (disguising bulk mailing)
Spam control is ever-changing. Spammers are always trying to slip under the anti-spam devices by changing their operations. Spam slips through the spam control products, vendors investigate, change their product or service, and the services catch it the next time. Conversely, spam that was caught one time might not be caught the next. UCit is confident that legitimate e-mail is not being blocked as a result of any of the above-described actions.

False Positives

Because some spammers send spam by using legitimate services servers for short periods of time, there is a chance that you will have e-mail falsely detected as spam. This results in what is known as a false positive. If you elect to set up additional spam filters within your mail client, you are advised to review your junk-mail folder periodically to assure that legitimate e-mail has not been filtered.

Questions about Spam

Here are some additional links to more information on fighting spam:

Spamhaus

SpamCop

Anti-Phishing Work Group

US Department of Justice Report on Phishing

Network Abuse Clearinghouse

Public Access Network Communications

Reporting Spam "Boilerplate" Memos

Where to Send your Spam Complaints

How to Complain to the Spammer's Provider

How to Find Internet Headers to Include with a Spam Complaint


If you have questions or need assistance, please contact the UCit Help Desk (556-4357). 


  Footer rule line

Office of Information Technologies
University of Cincinnati
400 University Hall
University of Cincinnati
P.O. Box 210658
Cincinnati, OH 45221-0658
Phone: 513-556-HELP(4357); Fax 513-556-1006
E-mail: helpdesk@uc.edu 
UCit Site Map

Copyright Information © University of Cincinnati