Antispam protection
FI and MU mail systems provide some services to limit the spread of infected mail and to detect at least partial spam - spam. There are two levels of control: the first is the university mail server and the second is the faculty mail server.
This protection is not and cannot be 100%. Still, do not open attachments that you received from unknown senders (or at first glance known senders, and the message looks suspicious).
If your mail is redirected using a file
.forward
, there is no antispam control. If you want to forward and check your mail, use the program
procmail
.
Check incoming mail at the faculty level
If the email originates from an external network and is delivered to the destination mailbox by the Anxur or Aisa server (this includes Procmail forwarding), it will pass antispam by default on the following stages:
- whitelist / blacklist
- SpamAssassin
- dSpam
Antispam control settings
The coarser filter configuration can be done using the application https://fadmin.fi.muni.cz/auth/sys/mail_nastaveni.mpl . Her abilities include:
- specify the mailbox where dSpam and / or SpamAssassin will put spam
- turn off one or both filters completely
- control the handling of duplicate mail filter
- and more
~/.procmail.setup
.
Drag and drop override settings
If you access the mail protocol
IMAP (this is true even if you use
web client ), you can use the item to
learn dSpam by moving the message to set the dSpam filter re-learning only by dragging the message from / to the spam folder (by default
mailbox.spam
or after rotating
mailbox.spam.1
). You don't have to deal with forwarding spam and spam to addresses
spamzxXNxZ0Db@fiYx8WUMIZ0.munibeRtcSxGU.cz
and
notspam=bQriOnTi@fi-w5LS=0Ou.muni7cx-twKkU.cz
.
Rerouting by redirecting the message
You can also re-train the statistical filter by redirecting or bounceing it to addresses
spamdt2JTqp=q@fiehtzGsxFw.muniP47_tYEVl.cz
and
notspamomgfUeIbG@fiJQTcVvQLo.muniMx2KN4mHB.cz
. You will accomplish this in
mutt
at the
b key, in Thunderbird this plugin will be enabled
mailredirect ).
Whitelisting and blacklisting
Whitelist is a list of addresses from which no incoming mail should be marked as spam. There can also be ambiguous entries in the whitelist to denote the entire domain using the '*' - "
*@example.muni.cz
"whitelist all addresses in the domain
example.muni.cz
. There are two levels of whitelist - global (maintained by CVT, valid for all users of Anxur or Aise) and user (valid for incoming mail of a particular user). At FI, the whitelist is implemented using the SpamAssassin program (see below). You can define your whitelist by adding any number of lines of the following shape to the file
~/.spamassassin/user_prefs
:
whitelist_from WhitelistovanyOdesilatel@example.com whitelist_from *@whitelistovana.domena.example.com
To take this configuration file into account, you must:
- home directory and directory
~/.spamassassin
set right "x
"for usersspamd
:setfacl -m u:spamd:x ~ ~/.spamassassin
- file
~/.spamassassin/user_prefs
grant right "r
" for others:chmod o+r ~/.spamassassin/user_prefs
Similarly, it is possible to whitelist based on the text in the mail header
Subject
. Any mail whose subject will contain the specified text as a substring will also avoid antispam control. The format of the rows is as follows:
whitelist_subject WhitelistovanyRetezec
Blacklist (according to sender and subject) has dual function to whitelist: matching message will be marked as spam without further checks. The blacklist configuration is the same as the whitelist, only the location
whitelist_from
write
blacklist_from
and place
whitelist_subject
then
blacklist_subject
.
SpamAssassin
This filter performs heuristic analysis. Defines a fixed set of rules (usually the presence of a word or phrase) that are detected in mails. This set is fixed; it can only be changed manually by the administrator (all-faculty) or the user (for his address). Each rule is assigned a weight (real number). A positive weight indicates phenomena that are characteristic of spam, a negative weight indicates phenomena that are typical of regular mail. The sum of the weights of all the rules that mail complies with is called a score. If the score is greater than a certain threshold, mail is marked as spam and does not enter the dSpam check process at all.
You will find a header in the mail that was processed by SpamAssassin
X-Spam-Status
to read the results of the mail analysis.
X-Spam-Status: Yes, score=14.3 required=7.0 tests=FI_NOTFROMFI, FORGED_MUA_OUTLOOK,FORGED_OUTLOOK_HTML,FORGED_OUTLOOK_TAGS,FORGED_RCVD_HELO, HTML_70_80,HTML_FONT_BIG,HTML_MESSAGE,INVALID_DATE,MIME_HTML_ONLY, NO_REAL_NAME,UNDISC_RECIPS autolearn=disabled version=3.1.9
- mail has been marked as spam
- his score is 14.3
- the phenomena that contributed to the score are listed in the list
tests
You can configure SpamAssassin behavior to some extent in a file
~/.spamassassin/user_prefs
. Configuration options are described in the documentation
Mail :: SpamAssassin :: Conf - You can define your own rules or change the scores of existing ones. Here's how to edit the threshold score for spam detection:
Change the minimum spam score
By default, any mail with a score equal to or greater than 7 is marked as spam. To change this boundary, insert a line (instead ofX
set the desired fair value):
required_hits XIncreasing the border score is relatively safe; the number of spam not recognized will likely increase. Lowering the border is not recommended.
dSpam
The statistical Bayesian filter dSpam also recognizes text substrings (so-called phenomena) in e-mails, to which it assigns a certain score and, based on the overall score, determines whether or not the mail being examined is spam. However, a set of events and their scores change without any administrator or user intervention in the configuration. The filter defines / modifies the phenomena and scores in the learning phase by examining emails for which the administrator or user assigns spam or spam . The sources of learning spam are:
- Initial set of training emails collected by the administrator
- emails that arrive at a certain honeypot email address in the FI domain that does not belong to any user, and
- emails coming to
spammxIb9hGi4@fiWS4EHJ-KP.muniv=KUkyR84.cz
The sources of learning spammers are:
- Initial set of training emails collected by the administrator
- emails coming to
notspamJLmWxuWh7@fibmyXqu9Uv.munitjAzgeysL.cz
Every mail that is processed by dSpam is enriched with headers that specify the verdict of dSpam evaluation and also the reasons for this verdict:
X-DSPAM-Result: Spam X-DSPAM-Factors: 15, liable+for, 0.00448, liable, 0.00673, shall+not, 0.00738, Offers+e, 0.99000, Offers+Microsoft, 0.99000, MSN+shall, 0.99000, mail+communications, 0.99000, WA+98052, 0.99000, target="_blank">More+Newsletters, 0.99000, This+shall, 0.99000, Feature+Offers, 0.99000, not+unsubscribe, 0.99000, content+nor, 0.99000, ©2008, 0.99000, Newsletters+|, 0.99000Mail with these headers:
- did not comply with the whitelist or blacklist, and SpamAssassin labeled it as spam
- was marked as spam by dSpam
- this verdict was determined by finding the text patterns that are listed in the header
X-DSPAM-Factors
For those patterns with a number greater than 0.5 in the header, mail puts more on the spam side; other patterns on the side I do not spam. The further away from 0.5 the number is, the more informative the pattern bears.
Check incoming mail at university level
Before entering the university network, each incoming mail is scanned on the server
relay.muni.cz
antivirus program and goes through a comprehensive antispam routine (especially so-called greylisting). If the result of the tests is negative, the mail is forwarded to the university network, including the following headers:
-
X-Muni-Spam-TestIP
- IP address of the server from whererelay.muni.cz
received the mail; -
X-Muni-Envelope-From
- The email address of the sender specified in the mail envelope.
With sensitive handling, this information can be used to additionally filter mail at the user level before delivery to the mailbox (e.g. procmailem ).