Antispam protection

FI and MU mail systems provide some services to limit the spread of infected mail and to detect at least partial spam - spam. There are two levels of control: the first is the university mail server and the second is the faculty mail server.

This protection is not and cannot be 100%. Still, do not open attachments that you received from unknown senders (or at first glance known senders, and the message looks suspicious).

If your mail is redirected using a file .forward , there is no antispam control. If you want to forward and check your mail, use the program procmail .

Check incoming mail at the faculty level

If the email originates from an external network and is delivered to the destination mailbox by the Anxur or Aisa server (this includes Procmail forwarding), it will pass antispam by default on the following stages:

1. whitelist / blacklist
2. SpamAssassin
3. dSpam

Antispam control settings

The coarser filter configuration can be done using the application https://fadmin.fi.muni.cz/auth/sys/mail_nastaveni.mpl . Her abilities include:

• specify the mailbox where dSpam and / or SpamAssassin will put spam
• turn off one or both filters completely
• control the handling of duplicate mail filter
• and more

Settings made by this application are saved in a file ~/.procmail.setup .

Drag and drop override settings

If you access the mail protocol IMAP (this is true even if you use web client ), you can use the item to learn dSpam by moving the message to set the dSpam filter re-learning only by dragging the message from / to the spam folder (by default mailbox.spam or after rotating mailbox.spam.1 ). You don't have to deal with forwarding spam and spam to addresses spam@fi.muni.cz and notspam@fi.muni.cz .

Rerouting by redirecting the message

You can also re-train the statistical filter by redirecting or bounceing it to addresses spam@fi.muni.cz and notspam@fi.muni.cz . You will accomplish this in mutt at the b key, in Thunderbird this plugin will be enabled mailredirect ).

Whitelisting and blacklisting

Whitelist is a list of addresses from which no incoming mail should be marked as spam. There can also be ambiguous entries in the whitelist to denote the entire domain using the '*' - " *@example.muni.cz "whitelist all addresses in the domain example.muni.cz . There are two levels of whitelist - global (maintained by CVT, valid for all users of Anxur or Aise) and user (valid for incoming mail of a particular user). At FI, the whitelist is implemented using the SpamAssassin program (see below). You can define your whitelist by adding any number of lines of the following shape to the file ~/.spamassassin/user_prefs :

whitelist_from WhitelistovanyOdesilatel@example.com
whitelist_from *@whitelistovana.domena.example.com

To take this configuration file into account, you must:

• home directory and directory ~/.spamassassin set right " x "for users spamd :

  setfacl -m u:spamd:x ~ ~/.spamassassin

• file ~/.spamassassin/user_prefs grant right " r " for others:

  chmod o+r ~/.spamassassin/user_prefs

Similarly, it is possible to whitelist based on the text in the mail header Subject . Any mail whose subject will contain the specified text as a substring will also avoid antispam control. The format of the rows is as follows:

whitelist_subject WhitelistovanyRetezec

Blacklist (according to sender and subject) has dual function to whitelist: matching message will be marked as spam without further checks. The blacklist configuration is the same as the whitelist, only the location whitelist_from write blacklist_from and place whitelist_subject then blacklist_subject .

SpamAssassin

This filter performs heuristic analysis. Defines a fixed set of rules (usually the presence of a word or phrase) that are detected in mails. This set is fixed; it can only be changed manually by the administrator (all-faculty) or the user (for his address). Each rule is assigned a weight (real number). A positive weight indicates phenomena that are characteristic of spam, a negative weight indicates phenomena that are typical of regular mail. The sum of the weights of all the rules that mail complies with is called a score. If the score is greater than a certain threshold, mail is marked as spam and does not enter the dSpam check process at all.

You will find a header in the mail that was processed by SpamAssassin X-Spam-Status to read the results of the mail analysis.

X-Spam-Status: Yes, score=14.3 required=7.0 tests=FI_NOTFROMFI,
	FORGED_MUA_OUTLOOK,FORGED_OUTLOOK_HTML,FORGED_OUTLOOK_TAGS,FORGED_RCVD_HELO,
	HTML_70_80,HTML_FONT_BIG,HTML_MESSAGE,INVALID_DATE,MIME_HTML_ONLY,
	NO_REAL_NAME,UNDISC_RECIPS autolearn=disabled version=3.1.9

• mail has been marked as spam
• his score is 14.3
• the phenomena that contributed to the score are listed in the list tests

You can configure SpamAssassin behavior to some extent in a file ~/.spamassassin/user_prefs . Configuration options are described in the documentation Mail :: SpamAssassin :: Conf - You can define your own rules or change the scores of existing ones. Here's how to edit the threshold score for spam detection:

Change the minimum spam score

By default, any mail with a score equal to or greater than 7 is marked as spam. To change this boundary, insert a line (instead of X set the desired fair value):

required_hits X

Increasing the border score is relatively safe; the number of spam not recognized will likely increase. Lowering the border is not recommended.

dSpam

The statistical Bayesian filter dSpam also recognizes text substrings (so-called phenomena) in e-mails, to which it assigns a certain score and, based on the overall score, determines whether or not the mail being examined is spam. However, a set of events and their scores change without any administrator or user intervention in the configuration. The filter defines / modifies the phenomena and scores in the learning phase by examining emails for which the administrator or user assigns spam or spam . The sources of learning spam are:

• Initial set of training emails collected by the administrator
• emails that arrive at a certain honeypot email address in the FI domain that does not belong to any user, and
• emails coming to spam@fi.muni.cz

The sources of learning spammers are:

• Initial set of training emails collected by the administrator
• emails coming to notspam@fi.muni.cz

Every mail that is processed by dSpam is enriched with headers that specify the verdict of dSpam evaluation and also the reasons for this verdict:

X-DSPAM-Result: Spam
X-DSPAM-Factors: 15,
	liable+for, 0.00448,
	liable, 0.00673,
	shall+not, 0.00738,
	Offers+e, 0.99000,
	Offers+Microsoft, 0.99000,
	MSN+shall, 0.99000,
	mail+communications, 0.99000,
	WA+98052, 0.99000,
	target="_blank">More+Newsletters, 0.99000,
	This+shall, 0.99000,
	Feature+Offers, 0.99000,
	not+unsubscribe, 0.99000,
	content+nor, 0.99000,
	©2008, 0.99000,
	Newsletters+|, 0.99000

Mail with these headers:

• did not comply with the whitelist or blacklist, and SpamAssassin labeled it as spam
• was marked as spam by dSpam
• this verdict was determined by finding the text patterns that are listed in the header X-DSPAM-Factors

For those patterns with a number greater than 0.5 in the header, mail puts more on the spam side; other patterns on the side I do not spam. The further away from 0.5 the number is, the more informative the pattern bears.

Check incoming mail at university level

Before entering the university network, each incoming mail is scanned on the server relay.muni.cz antivirus program and goes through a comprehensive antispam routine (especially so-called greylisting). If the result of the tests is negative, the mail is forwarded to the university network, including the following headers:

• X-Muni-Spam-TestIP - IP address of the server from where relay.muni.cz received the mail;
• X-Muni-Envelope-From - The email address of the sender specified in the mail envelope.

With sensitive handling, this information can be used to additionally filter mail at the user level before delivery to the mailbox (e.g. procmailem ).