Help - Office of Information Systems - UNC School of Medicine
Document Actions
Spam Filtering with Proofpoint
In February 2008, OIS installed a Proofpoint spam filtering appliance on the School of Medicine network. This appliance automatically eliminates a majority of spam messages before they reach your email inbox. Although these spam filters have been applied uniformly across the school, users also have the option to manage their own filters. The following documentation will review spam basics and provide instructions on how to manage your own spam filters/settings.
The following has been adapted from UNC's Information Technology Services (ITS) documentation entitled "UNC-Chapel Hill Spam Filtering Service."
- Introduction
- Glossary of Terms
- How the Spam Filtering System Works
- Logging in to the Spam Filtering System
- Profile - Choosing your Policy
- Quarantine
- Lists (Safelist/Blocked Senders List)
- Digest Email
- Dealing with False Positives
- Additional Help
Introduction
Email fraud and phishing are two of the most dangerous security threats delivered in email, often resulting in identity theft, financial losses and compromised security.
Identity theft attacks are typically initiated through email by scammers pretending to be well-known companies. These messages encourage you to click on links within the message to visit a website that may ask for account numbers, passwords and other personal information.
Many people believe they are protected from phishing scams and email fraud by their antivirus, firewall, antispam and antispyware software. In fact, these software products do not completely prevent email fraud and many victims using these security products are at increased risk because they have been lulled into a false sense of security.
What is Spam?
Spam is flooding the Internet with many copies of the same message, in an attempt to force the message on people who would not otherwise choose to receive it. Most spam is commercial advertising, often for doubtful products, get-rich-quick schemes, or quasi-legal services. Spam costs the sender very little to send -- most of the costs are paid for by the recipient or the carriers rather than by the sender.
How Should I Handle Spam?
It is tempting to try and reverse the spam emails or write them nasty letters, but that doesn't work. Neither does unsubscribing from their emails.
The reason is that most spam emails usually reach us by accident initially. If we respond in any way (clicking on links, "unsubscribing", or replying), the response confirms our email address and the spam will grow exponentially.
Here are a few rules for handling spam:
- Never reply to them
- Never click on a link that is inserted in a spam email
- Never "unsubscribe" from them...after all, you cannot unsubscribe from something you never subscribed to in the first place. If nothing else, sending an unsubscribe request just confirms that the spammers have reached a valid email address.
Spam Filtering with Proofpoint
Combating spam has become a common practice for e-mail users. Your best recourse is to block their mail before it reaches you. A mail filter will watch your incoming mail and search it for indications of unsolicited content. A mail filter can substantially reduce the volume of spam you have to address.
The spam filter that UNC School of Medicine employs is provided by Proofpoint. All users of the School of Medicine email system (mail.med.unc.edu) are opted-in to this service by default. The Proofpoint solution provides its users a convenient way of getting rid of most spam messages automatically and gives you a choice of options for dealing with "too close to call" messages.
[top]
Glossary of Terms
Before going into greater detail about the UNC School of Medicine Spam Filtering system, a few terms will be encountered later and need to be defined.
Table 1. Glossary
Term | Definition |
|---|---|
Blocked Senders | A list of "bad" addresses or domains from which you wish to receive no email. |
Digest | A digest is an email that you will receive twice a day, which contains a listing of all spam messages that are in your quarantine, and the spam scores that they received. From here you can view the contents of the messages, report them as not spam, release them to your inbox, or add the senders to your Safelist. |
Domain | Domain names are addresses used on the Internet, such as hotmail.com. You can block or allow mail from an entire domain. |
Policy | A predefined ruleset that determines how messages with differing classifications of spam are handled for a specific user. |
Profile | Your profile is the area that you access to change your spam handling presets. You can also access your blocked senders, safelist, and quarantine from here. Visit http://www.med.unc.edu/spam to access your profile. |
Quarantine | Holding area for known and possible spam that was caught by the filter. Messages will remain here for 14 days, or until you mark them as "not spam." The email messages in your trap can be viewed by going to the spam filtering service web interface at http://www.med.unc.edu/spam |
Spam Score | A score assigned to a piece of mail. The score is determined by a set of rules that mail is checked against for known spam issues, and will range between 0 and 100. |
The spam filtering system has an option to only tag potential spam messages by prepending the spam score information to the subject line of the message instead of trapping them in the Quarantine. | |
Safelist | A list of "good", or known, addresses or domains. Messages coming from a whitelisted domain or address will never get marked as spam. |
[top]
How the Proofpoint Spam Filtering System Works
All messages destined to your Inbox will be analyzed by the spam filter and assigned a spam score. This score will help you determine if the message is spam, and if so, how it should be handled. The score ranges from 0% (not spam) to 100% (definite spam). The score that a message receives is used to classify it in the following categories: definite spam, probable spam, and not spam. Based on what policy setting you choose, you may receive a digest email if you have messages classified as possible spam waiting in your quarantine. The spam system in general classifies messages scoring in certain ranges into the following categories. Any policy that deviates from these ranges will be defined elsewhere.
- Certain Spam - Messages scoring between 95% and 100%
- Possible Spam - Messages scoring between 50% and 94%
- Not Spam - Messages scoring below 50%
[top]
Logging in to the Proofpoint Spam Filtering System
- Go to http://www.med.unc.edu/spam
- Log in with your SOMID and password. After successfully logging in, you will see the following page, with the Profile, Quarantine, and Lists sections available to you.
[top]
Profile - Choosing your Policy
In the Profile section, you can choose which policy to use for your spam filtering. There are five policies that you can choose from: Default, Standard Quarantine, Extended Quarantine, Tag and Forward, and Aggressive. The actions that apply to each classification of message for each policy are listed below.
Table 2. Spam Policy Summary
| Spam Detection Policy | Definite Spam (score of 95% or more) | Probable Spam (score between 50%-94%) | Not Spam (score under 50%) |
| Deliver Everything but Tag Probable Spam | tag/deliver | tag/deliver | deliver |
| Quarantine everything suspicious (default) | quarantine | quarantine | deliver |
| Discard Definite Spam, Quarantine Probable | discard | quarantine | deliver |
| Discard Everything Suspicious | discard | discard | deliver |
| Discard and Quarantine with lower tolerance | agressive discard (score of 75% or more) | aggressive quarantine (score between 40%-74%) | deliver (score under 39%) |
Example: The policy "Quarantine everything suspicious (default)" means that all messages with a spam score above 95% (Definite Spam) and messages with a spam score between 50%-94% (Probable Spam) will be quarantined. All other messages with a spam score below 50% will be delivered to your inbox.
In Tag and Forward mode, all certain and possible spam messages will be delivered, but with the Subject line altered to contain the spam score of the message. An example Subject line might look like:
Messages classified as Not Spam will not have their Subject line altered. When using the Tag and Forward policy, you may want to set your email client to filter these messages into a folder based on the Spam tag in the subject.
[top]
Quarantine
If you choose one of the Quarantine policies, the Quarantine is the holding area for messages classified as Probable Spam that you can choose to act upon or, ignore. If you do nothing to messages in your Quarantine, they will be automatically deleted after 14 days. When new messages are added to your quarantine, you will receive an e-mail digest message in your Inbox listing all of the messages there. Digests are sent daily at 7am. You can also access your quarantine via a web interface at http://www.med.unc.edu/spam. You can read and take action on quarantined messages from the digest email or in the web interface. The actions you can take are:
- Release - Remove the message from Quarantine, and send to your Inbox.
- Not Spam - Report the message to the system as legitimate e-mail. This feedback will help the system learn that future messages like this one are not spam.
- Safelist - Adds the sender address of the message to your Safelist.
- Delete - Removes the message from your Quarantine. This happens automatically on the message after 14 days, if not released before then.
[top]
Lists (Safelist/Blocked Senders List)
The Lists section allows you to add email addresses and/or email domains to a list from which the spam filter will either always allow (Safelist) or always reject (Blocked Senders) messages addressed to you. To add a new item to either of these lists follow these steps:
- Login at http://www.med.unc.edu/spam
- Go to the Lists section
- Choose the list you want to modify
- Click the New button
- Enter the e-mail address or domain you would like to add to the list
- Click Save
[top]
Digest Email
This section is only applicable if you are using either of the Quarantine policies.
If you have new messages in your Quarantine, you will receive a Digest Message in your Inbox. This message will list the messages that are being held, and gives you the same options as listed above in the web-interface. Digest Messages are sent once daily at 7am.
Here's an example of a digest message:
Some actions you can choose from a Digest Message include the following:
- Request New End User Digest - Sends you an updated copy of your digest. Automatic digests go out once in the morning at 7am.
- Request Safe/Blocked Senders List - Sends you a copy of all email addresses and domains that are currently in your Safe and Blocked Senders lists.
- Manage My Account - Takes you to the web interface where you can manage your profile, lists, and Quarantine
- Help - Takes you to this document.
[top]
Dealing with False Positives
The School of Medicine's anti-spam solution is effective, but not perfect. We have seen a small number of instances where a legitimate message receives a spam score of 100 and is discarded as spam. If you believe that you are not receiving messages that you should, you have several options available to you:
- Add to your Safelist any non-UNC School of Medicine senders that you suspect might be misdirected to your spam folder. Ask the sender to send you a test message.
- Switch to the "Deliver Everything but Tag Probable Spam" policy. With this policy you will begin to receive digest messages containing all messages that fall into the possible or certain spam categories (scoring 50%-100%). You can then report as not spam and safelist any legitimate messages that have been mistakenly scored. Once you have safelisted any senders that these types of messages come from, you may choose to go back to one of the other policies that best suits your needs.
[top]
Additional Help
For more information, take a look at the UNC School of Medicine Proofpoint Spam Filtering FAQs.
[top]