Anti-spam and Attachment Blocking FAQs

(Frequently Asked Questions)

| Anti-Spam Service | Attachment Blocking

Spam General

Anti-Spam Service -

Return to Top

Attachment Blocking Practices - In June and July of 2004 ITS solicited customer input by sending an e-mail to all faculty, staff and students, held several discussion forums and sponsored an online feedback form regarding the Campus E-Mail Defense Plan proposals. We also spoke with several campus organizations. The consensus gained through these activities was to move ahead on both proposals. Answers to the questions generated by these communications can be viewed below.

Return to Top

What is spam?

Spam is unsolicited commercial e-mail (UCE) or junk e-mail. A more complete definition can be found at the following sites:
http://www.webopedia.com/TERM/s/spam.html
http://www.mail-abuse.com/

Additional spam information can be found on the Sophos site.

How does spam affect workplace productivity?

Following is an example of the potential impact of spam on workplace productivity and lost salaries.

Workplace Environment:
Number of employees with email: 15,000
Number of workdays per year per employee: 230
Average hourly salary per employee: 25
Average number of spam emails per day per employee: 10
Number of seconds wasted with each spam email message: 5

Lost Salary:
Total corporate yearly: $ 1,197,916.67
Total corporate daily: $ 5208.33
Total employee yearly: $ 79.86
Total employee daily: $ 0.35

Lost Productivity:
Total corporate yearly: 5972.99 days
Per employee yearly: 3.19 hours

These totals represent only a single component of the overall cost of
receiving spam. Other organizational effects include:

  • Network resource drain, including Internet bandwidth, mail server
    processing cycles, and storage capacity

  • Potential legal issues resulting from creating a 'hostile environment'
    especially when the contents are offensive to certain segments of
    employees

Return to Top

Does Iowa have an anti-spam law?

Yes. See Iowa Code Chapter 714E for details.

How does ITS fight spam?

ITS currently runs Sophos PureMessage, which scans for and blocks or flags potential spam. E-mail addressed to @uiowa.edu is being screened. Most messages sent from University of Iowa on-campus computers are not scanned even though they are sent to @uiowa.edu addresses.

  • Messages sent to your university alias (firstname-lastname@uiowa.edu) email address will be rejected if the SPAM probability is 99% or higher.

  • The default for Special Email Accounts will be to continue to flag potential Spam with # signs and deliver them (tag & deliver). To change the spam threshold setting for Special Email Accounts, contact the ITS Helpdesk at (319) 384-Help (4357).

Details on The University of Iowa Anti-Spam Service

Return to Top

What should I do if I receive spam?

Do NOT reply to spam mail, even if the message contains a "remove me from your list" link. Replying only serves to alert the sender that your e-mail address is "live". Also, if you receive a message with instructions to forward it to everyone you know, do NOT send it. Instead, verify that the message is a hoax and then notify the sender. See BEST PRACTICES For Dealing with spam Electronic Mail for additional information.

How does PureMessage identify spam?

PureMessage identifies spam using a combination of heuristics, spam directories, and spam signatures. ActiveState continually updates their filters as spammers change their tactics.

Where can I find more information about PureMessage?

See the Sophos PureMessage site for detailed information.

How does PureMessage flag potential spam?

PureMessage adds "spam?#" at the beginning of the subject line for messages with greater than 50% probability of being spam. This makes it easy to identiy potential spam. Multiple "#" characters are inserted as the spam probability increases. For example, a spam probability over 50% receives one #; over 60% probability receives two #s; and so forth.

Additional headers are included in messages with a greater than 20% probability of being spam. These headers provide more detail about the spam content as well as allow a greater degree of filtering. The spam headers can provide some hints as to why a given message was marked as spam.

Details on The University of Iowa Ant-Spam Service

How do spam messages display in my inbox?

From            Subject
Anna4 [lovergirlie44p_cx@newmail.ru] [spam?####] Hot parties - hot and crazy
vertex-@yahoo.com [spam?####] toner cartridg prices per your request
No Phone Bills [FlatRate@covad.net] [spam?####] Zero Cents Per Minute – Unlimited Calling
cool [47458hpsttrf@betterclix2go.com] [spam?##] inkjet supplies, great prices, quick shipping
tomembers@premiumsmail.net [spam?#] Get Your Own Teleconferencing Service

Does PureMessage flag all spam messages?

Occasionally a spam message will slip through without being flagged because spammers are constantly coming up with new ways to "beat the system". The reverse is also true — once in awhile a legitimate message might be flagged as spam when it is not.

Return to Top


How do I set up a spam filter in my e-mail client?

Because PureMessage adds the standard "spam?#" in the subject line of potential spam messages, it is easy to filter spam from your inbox to another location. Each e-mail client has a slightly different way to set up a filter (rule). Listed below are the most popular clients. Click on your preferred client for specific information on how to set up a spam filter.

Eudora 6.x
Outlook 2003
Outlook Express 6
Webmail
Entourage (Macintosh)
Mail (Macintosh)
Ximian Evolution (Linux)

Can I continue to receive all of my email that is marked by "spam?"

You can opt out completely and/or change your spam rejection threshold via the Anti-Spam Tool.

Can I change my spam rejection threshold?

You can opt out completely and/or change your spam rejection threshold via the Anti-Spam Tool.

Does ITS start out with a campus default threshold setting for spam rejection?

Yes. ITS is now rejecting spam that is scored at least at 90% probability. You can opt out completely and/or change your spam rejection threshold via the Anti-Spam Tool.

We recommend you leave the setting at the default 99%, or higher.

Return to Top

Does the ITS Help Desk take user calls on changes?

Of course! The ITS Help Desk is prepared to point you to our online documentation and talk you through making the change yourself or they will make the change for you.

Is there a way to identify "safe senders", i.e., to notify the system specifically of what I would like to receive?

The PureMessage system does not have a facility for identifying "safe senders." If you need to receive e-mail that is currently marked as "spam?###" you should set your spam threshold low (the default) or choose to mark-and-deliver all e-mail (like the old system), or you can opt-out of the service completely (not recommended). Most email clients, including Outlook, allow for the creation of a safe or trusted senders list. This is also called a "white list."

For specific information on how to set up filters for your email clie How do I set up a spam filter in my e-mail client see?

Is there a way for me to block only specific senders?

The PureMessage system does not have a facility for individuals to block specific senders. You might want to keep your spam threshold low or opt-out of the service completely and use your email client filtering capabilities to block specific senders.

For specific information on how to set up filters for your email client see How do I set up a spam filter in my e-mail client?

Will I be notified when email addressed to me is rejected?

No. The sender will be notified that this email has been rejected. This message to the sender will include why the email was rejected.

What is used to determine what is or is not spam?

ITS uses a software product called PureMessage (from Sophos) to filter and mark the "spam?" messages. PureMessage identifies spam using a combination of heuristics, spam directories, and spam signatures. Sophos continually updates their filters as spammers change their tactics to get around the spam filters. See the Sophos PureMessage site for detailed information.

Return to Top

What does the "spam?#" marking mean?

The number of "#" after the spam? indicates the probability of the message being spam. Each pound sign roughly corresponds to an additional 10% probability (over 50%) of a message being spam. For instance, spam?### indicates the message is scored at up to (but not including) 80% probability of being a spam message. More information is available on the Anti-Spam Service web site.

Is it less expensive to implement a rejection service than it would be to simply receive the spam and delete it?

See How does spam affect workplace productivity?

Is there any way for users to opt for a spam header instead of a modified subject line?

Not at this time. We are taking your comment into consideration.

Instead of allowing people to set values of 70, 90, 99, notify and none, could you let them input a numeral for a specific amount of spam blocking?

Not at this time. This could be considered as a future enhancement if there is a need.

I changed my anti-spam policy group setting today, but I'm still receiving spam that I think should be blocked. What's happening?

The PureMessage software does not check the anti-spam policy groups in "real-time"; instead it uses replicated lists that are periodically updated. Until the lists are updated, your old setting is in effect.

Return to Top

How often are the PureMessage anti-spam policy groups rebuilt?

The replicated lists are updated once per day, around 17:15 hours.

What attachments will be blocked?

See Attachment Blocking for a full list of the attachments (file name extensions) that will be blocked. All attachments that are executable (programs) will be removed. Attachments that will not be blocked include: Word documents, spreadsheets, powerpoint presentations, *.pdf files, photographs and images.  However, if a file attachment is encrypted, or if it is password protected, and therefore cannot be examined for malicious code, it will be discarded. (Examples are encrypted .zip files, and password protected office productivity files.)

Similarly, if a *.zip archive contains a file with an extension (such as .EXE), which is in the list of suspect attachments, the entire zip file attachment is removed. (The service does not have the capability to remove a single file from a zip archive.)


For more information about attachments, see http://cio.uiowa.edu/itsecurity/bestprac/attachment.shtml

Is there a way that users can opt out of the attachment blocking?

No. Users will be able to opt out of the spam filtering, but not the attachment blocking.

How can a non-computer savvy person send or receive any of the blocked attachments?

Ask the sender to:

Rename the attachment to docname.ext.rename.rename where docname.ext is the original name of the attachment including the extension Send the attachment again (with this new name) and a personal message to you.
When you receive this new message with the attachment, you will need to:

Download the attachment.
Scan it with your virus checker.
Rename it. (Windows: right click on the file and select Rename. You need to delete the part of the name that says ".rename" or ".rename.rename".)

Additional file transfer options are listed at http://cio.uiowa.edu/itsecurity/bestprac/attachment.shtml

When an attachment is blocked, will the filename be included in the message that is sent?

No. The inserted text will look like this:

======================================================================
A potentially unsafe attachment has been removed from this email
message. See http://cs.its.uiowa.edu/email/cdp.shtml for further
information.
======================================================================

Return to Top

Will this change effect outgoing email?

No. This change will only effect incoming email addressed to @uiowa.edu. Also, most messages sent from University of Iowa on-campus computers are not scanned even though they are sent to @uiowa.edu addresses.

What mechanism will exist to provide continued visibility of the filter list of the moment?

ITS plans to update the list at http://cs.its.uiowa.edu/email/cdp.shtml as needed. We don't expect this list to change very often—it should remain static.

Does ITS plan to offer training on other methods of routine file transfer?

As methods are developed, documentation will be made available and training offered as needed.

Why doesn't ITS just rename the unsafe attachments?

ITS used an open source (free) software program to do attachment renaming a few years ago, but the software proved to be problematic for desktop anti-virus software, and was difficult to maintain. The renaming system was also inconvenient and disliked by most users, based on feedback received by the Help Desk.

Can I still click on URLs that end in .com?

Yes. Attachment Blocking will not effect URLs that are imbedded in an email message.

Will MS Word, Excel and Powerpoint documents be automatically deleted?

MS Word, Excel and Powerpoint documents will not be deleted. See the Campus Defense web page for a list of attachments that will be deleted.

Will I still be able to sent and receive photographs, images and documents?

Yes.

Return to Top

Can MS Access files be removed from the list?

No. MS Access files are executable files and therefore are potentially unsafe. If you need to receive an Access File:

Ask the sender to:

  1. Rename the attachment to docname.ext.rename.rename

    • where docname.ext is the original name of the attachment including the extension

  2. Send the attachment again (with this new name) and a personal message to you.

When you receive this new message with the attachment, you will need to:

  1. Download the attachment.

  2. Scan it with your virus checker.

  3. Rename it. (Windows: right click on the file and select Rename. You need to delete the part of the name that says ".rename" or ".rename.rename".)

Aren't most viruses sent through .txt files anyway?

No. Virus are only sent through executable files. Txt files are not executable.

If the attachment was legitimate (from a known sender or expected) can it be retrieved?

No.

Ask the sender to:

  1. Rename the attachment to docname.ext.rename.rename

    • where docname.ext is the original name of the attachment including the extension

  2. Send the attachment again (with this new name) and a personal message to you.

When you receive this new message with the attachment, you will need to:

  1. Download the attachment.

  2. Scan it with your virus checker.

  3. Rename it. (Windows: right click on the file and select Rename. You need to delete the part of the name that says ".rename" or ".rename.rename".)

Will ITS provide everyone with personal web space and ftp capability and training as an alternative to legitimate file transfer via email?

ITS is developing a web accessible file storage service (called MyFiles) that can be used as a secure alternative to sending attachments via e-mail. Stay tuned to the Campus Services Web Publishing Support site for an announcement and details of this service.

Is it possible to distinguish between an attachment infected with a virus and one not infected before sending it over the Internet?

That is possible much of the time so long as your virus checking software is up to date. The problem arises with new viruses. When a new virus starts to spread it takes time for the anti-virus companies to create a new virsus checker and time for that fix to be distributed and installed on users' computers. During this time you are vulnerable for both receiving and sending viruses.

Return to Top

Copyright © 2005, The University of Iowa, all rights reserved.
Validate