skip to content

IT Help and Support

University Information Services
 

Introduction

There are two ways email can get to a user's mailbox:

  • Direct to the user's email system (for example, Microsoft 365's Exchange Online)
  • Via PPSwitch

Email going directly to a mail system will be subject to the email system's inbuilt anti-spam, anti-phishing and malware protection. This is typically email via managed mail domains.

Mail that is routed via PPSwitch is subject to a different set of filtering, which is detailed below.

If you have any problems with blocked or filtered email, please .
 

Overview

PPswitch uses a mixture of techniques to identify and block unwanted email:

DNS blocklists

We use DNS blocklists to identify the IP addresses of computers on the Internet from which we will not accept email. An IP address may be blocklisted for several reasons:

  • the computer may be misconfigured or compromised in such a way as to make it open to abuse by spammers
  • the address may be listed by its owner as one that should never send email
  • the address may be allocated to an organisation that is known to send spam (we also use DNS blocklists to identify email that appears to come from a domain owned by spammers).

UIS only uses DNS blocklists that have a good reputation for not gratuitously listing legitimate IP addresses or domains. Even so, there is the occasional communication problem caused by the blocklists, in which case you can contact the UIS postmaster for assistance (no messages to that email address are blocked). However, note that we do not configure PPswitch with special exceptions to the DNS blocklists because that would be a duplication of effort. In the case of an erroneous listing, you must deal with the DNS blocklist administrators via the web sites below.

PPswitch uses the Spamhaus ZENSpamhaus DBLURIBL.com and SURBL.org blocklists to block email. They are made available to us via national subscriptions supported by JANET. Most of these blocklists are combinations of several lists that follow complementary policies. See the individual blocklist web pages for details.
 

SpamAssassin

SpamAssassin is a program that performs many tests on a message to decide if it is spam. These tests look at the content of the message and various technical details in its headers, and query databases on the Internet, including several other DNS blocklists. Many of the tests identify features of the message that are common in spam and some of them identify non-spam features. Each test has an associated score that is positive for spam and negative for non-spam. The scores of all the tests that succeed are added together to produce an aggregate score for the message as a whole. The scores are tuned so that legitimate messages score less than 5 and messages that score 5 or above are almost certainly spam.

Although SpamAssassin is reasonably effective, it cannot identify spam or legitimate email 100% accurately, so PPswitch uses its results conservatively. Messages that score more than a safe global threshold (currently set to 10) are rejected. Messages that score less than the global threshold are delivered as usual, with extra headers added to record the message's score. These headers can be used to filter spam to a folder other than your inbox.

UIS only makes basic changes to the SpamAssassin configuration to tailor it to our local needs. For example, we have configured it to use the JANET blocklists. We do not make more extensive changes to the tests because that would be duplicating the work of the SpamAssassin developers and it would make it harder to keep the software up to date. For this reason, there isn't much we can do about individual messages that score unexpectedly high or low.

For more information, see the SpamAssassin FAQ:

  • If you receive a legitimate message that was classified as spam, perhaps you set your filtering threshold too low; see the FAQ.
  • If you receive some spam that was classified as legitimate email, perhaps you set your filtering threshold too high; see the FAQ.
  • Though it is a chore to have to go through your spam mailbox every few days to delete messages, SpamAssassin isn't perfect, so you would risk losing real email if high-scoring messages were deleted unseen; see the FAQ.
     

ClamAV

The scanner blocks any email that contains malware according to ClamAV. In addition to the standard ClamAV malware databases, we also use third-party databases distributed by Sanesecurity. Malware includes viruses, worms, trojans and phishing.

Some of the ClamAV databases also identify spam messages. If a message matches one of these tests, its SpamAssassin score is increased, and the message is only blocked if it scores high enough.

Unfortunately, sometimes new malware is sent to us before the ClamAV database is updated to detect it. If you receive a suspicious message you can submit it to the ClamAV maintainers for inclusion in the next update.
 

Filename checks

As a further level of protection the scanner also blocks messages that contain potentially dangerous attachments, based on the name and type of the file they contain. This extra protection helps when there are delays getting a virus database update from the vendor, and it reduces the ways in which malicious email can trick users.
 

Message annotations

The email scanner adds some headers to each message that passes through, containing information about what the scanner found. You can see them by viewing the full headers of the message. If a message is scanned more than once (for example, because it has been re-sent) then it will have more than one set of scanner headers.

Each of the headers starts X-Cam-. The X- indicates that this is a non-standard header. The -Cam- is to distinguish the Cambridge scanner installation from other email scanners that might work on the same message.

The X-Cam-ScannerInfo: header contains the URL of this web page, so that people can find out the operational details of the scanner without needing to know anything about Cambridge University or UIS.

The X-Cam-AntiVirus: header summarises the findings of ClamAV. It usually says "no malware found" if the message passed the virus filter OK. In some circumstances (see below) it may say say "not scanned" if the message was not scanned for viruses, or "found to be infected with..." if a virus was found but the message was not blocked.

The X-Cam-SpamDetails: header contains the results from SpamAssassin. It will say "not scanned" if the message comes from within the University (see below); otherwise it will look something like this:

X-Cam-SpamDetails: score 9.2 from SpamAssassin-3.2.5-668092
 *  0.0 MISSING_DATE Missing Date: header
 *  1.6 TVD_RCVD_IP TVD_RCVD_IP
 *  1.1 HTML_EXTRA_CLOSE BODY: HTML contains far too many close tags
 *  0.0 HTML_MESSAGE BODY: HTML included in message
 *  0.4 HTML_FONT_SIZE_HUGE BODY: HTML font size is huge
 *  1.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
 *  2.0 URIBL_PH_SURBL Contains an URL listed in the PH SURBL blocklist
 *      [URIs: fyzikskool.com]
 *  2.0 URIBL_BLOCK Contains an URL listed in the URIBL blocklist
 *      [URIs: fyzikskool.com]
 *  0.1 RDNS_DYNAMIC Delivered to trusted network by host with
 *      dynamic-looking rDNS
 *  0.3 DYN_RDNS_SHORT_HELO_HTML Sent by dynamic rDNS, short HELO, and HTML

The text includes the overall score assigned to the message, the version of SpamAssassin, and the list of tests that the message matched with the score, codename and explanation for each test.

If the message has a spam score greater than one, a fourth header is added. The X-Cam-SpamScore: header contains a sequence of the letter "s" (for "spam") equal in length to the message's score rounded down to a whole number – for example, sssssssss for a score of 9.2. This header is intended to make it easy for users to configure their spam filters.