How We Handle Spam

9/14/2008

As much as 90% of incoming email to Dowling is spam. Our GWAVA system blocks most of it, using a number of techniques to analyze each message as it comes in. Despite occasional errors, the system is highly accurate and "trainable" so it gets better with time.

How Incoming Mail is Handled

GWAVA carries out an analysis of each of over 100,000 messages it receives each day. Based on that analysis it quarantines messages it considers spam. The messages are held for one week on our Quarantine Management Server, where you can retrieve them by two methods which we will explain shortly. Messages which have been analyzed and are considered legitimate arrive in your mailbox.

Among the factors which enter into the decision to quarantine a message:

  • Is the message sent from a known spam-sending address? (RBL lists)
  • Does the message contain a link to a known spam website? (SURBL lists)
  • Does it look like spam? (Scoring system)
  • Have you released messages like this from your quarantine?
  • Is the message on our list of not-allowed senders?
  • Is the message on our list of always-allowed senders?

Your mailbox contains messages that have made it through this series of questions.

Retrieving Quarantined Messages

Every morning, if any messages to you have been quarantined, they are listed on a message to you with the subject, "GWAVA message restriction digest." Each quarantined message has failed the tests above and is considered by GWAVA to be spam. Sometimes GWAVA is incorrect, but that's not fatal: you can release any quarantined message:

  • Method 1: Release from Digest

    In your "GWAVA message restriction digest" next to each message is a Release button. Look at the "from" and "subject" of each message; if you think a message is legitimate, click the Release button. Your browser will open to tell you to look in your mailbox in a few moments, when the message will arrive. A copy of the message will go back to GWAVA for your IT staff to act upon.
    Note: Periodically we use some of these released messages to "train" GWAVA to recognize them as legitimate. It may turn out that the message you released is really spam, though it looks legitimate - we'll try to find those and avoid training GWAVA to allow them. It's an inexact science, and the spammers are clever, so the cat-and-mouse game continues.
  • Method 2: Release from GWAVA website

    Rather than wait until your morning digest message arrives, you can browse to the GWAVA digest website, login with your email address (same password as your email), and search the quarantine for incorrectly-blocked messages. Narrow your search if you like by entering criteria at the left side of the window: restrict your search to the last 24 hours, for example, or to emails from a particular address or domain. The Help Desk at x3445 can explain this process for you if needed.
    Note: In the first column for each quarantined message you'll also see a "Block Reason." Most often this contains the notation "spam5" which means that the message scored 5 or more in the "Does it look like spam?" analysis *. If a correspondent's email appears in the quarantine with this "spam5" notation, release the message then reply to the message. Replying will teach GWAVA that this is a person with whom you're having conversations, and his/her messages should not be blocked. But if the "Block Reason" contains anything else, like "RBL" or "SURBL," future blocking will not be prevented by replying - instead, send a copy to notspam(at)dowling.edu so we can intervene.
    * Or at the the GWAVA digest website look on the right under "Event" for "Spam threshold 5".

Messages which contain viruses are simply deleted; they are not quarantined and neither you nor we can ever retrieve them.

Fixing problems: Messages that should not be allowed

We've set the GWAVA system to err towards caution, not to quarantine a message unless it's pretty sure the message is spam. But spam sometimes gets through. Let's look at some scenarios and see what should be done.

  • Scenario 1: "Pretty Russian Girl is bored tonight"

    These messages are plain text and don't contain much information to help GWAVA decide on their legitimacy, so the "scoring test" is ineffective. But for every one of these messages that gets through, ten or twenty are blocked by GWAVA's "RBL" test. Unfortunately, the RBL lists are sometimes not able to keep up with the speed at which spammers change servers, so some of these will always get though. Exactly the same situation arises with most of the "Get out of debt" and "Get your college degree" and "Best of Armani, Boss, Versace" messages you're seeing.


  • Scenario 2: Harrassment

    Some "former friends" send messages that you would rather not receive. The best way to handle this is to create a trash rule in your mail client, which deletes any message from a particular address. Until we write a web page to explain how to do this, you can either call the Help Desk for assistance or work through the explanation at Novell's Documentation website.


  • Scenario 3: Good messages from one user repeatedly quarantined

    Releasing a quarantined message sends a copy to GWAVA and a copy to you. Your IT folks will try to use the GWAVA copy to retrain GWAVA to allow the message. If that doesn't work, and if the message comes from one sender, we may be able to install a system-wide "exception" for the sender, allowing all his/her messages to bypass spam checking. Forward the message to notspam(at)dowling.edu so we can see if that's possible.

Conclusion

GWAVA incorporates multiple tools designed to detect and block unwanted messages. As the spammers improve their techniques in an effort to get you to buy something or install something that will help them to steal your identity, GWAVA's engineers continue to improve methods of detecting and blocking the spam. To minimize the impact of spam on Dowling and on you, we recommend:

  1. Don't use your Dowling account for online purchases. Use a free account from Gmail, Yahoo, AOL or another internet provider. Use your Dowling account only for Dowling-related business.
  2. Never buy anything from a spammer. If everyone observed this rule, the profit motive for spammers would disappear, and perhaps so would the spammers.

Questions or concerns? Please contact the Technology Help Desk at 244-3445.