University of Tasmania

Spam Prevention Strategy

• Spam Policy -Sept 2004 (PDF)
• Spam Procedure (PDF)
  • Creating Spam Filters with Apple's Mail (PDF)
  • Creating Spam Filters with Entourage (PDF)
  • Creating Spam Filters with Eudora (PDF)
  • Creating Spam Filters with Outlook (PDF)
  • Lotus Notes Spam Filters (PDF)

Background

There are currently more than 25 suppliers delivering spam-blocking products and services for use by enterprises. These enterprise-focused solutions offer a variety of different deployment scenarios, detection and prevention methodologies, management schemes, and reporting options.

IT Resources undertook evaluation of the enterprise products available during 2003. A messaging security suite offered by Trend MicroT was subsequently selected. This solution incorporated both an internet gateway anti-virus solution, implemented in September 2003, and a spam prevention solution.

During testing, undertaken since mid February 2004, it was determined that spam accounts for more than 50% of e-mail processed by the University's e-mail servers. The recent spate of viral worms now plaguing enterprises only adds to this spam problem, using e-mail as a means of propagation.

IT Resources is endeavouring to implement a system that places the onus on the individual as to how they manage 'their' spam. Given the nature of the University, as opposed to a corporate environment, this is the most practical method of adoption/implementation As such, a test group consisting of Computing Support staff* from across the University is currently undertaking a trial of the system and providing feedback as to the level of 'aggressiveness' to be applied to the various filters.

The outcome of this trial will see a paper submitted to Planning and Resources to endorse a policy for adoption by the University to effectively manage the spam issue. It is expected that 6 monthly reviews of the policy may be required.

*PLEASE NOTE - During this trial phase filtering ONLY occurs on messages delivered to an individual's formal University email address.

The following information has been obtained from the " Trend MicroT Interscan 5 Messaging Security Suite - Getting Started Guide".

Trend Micro Spam Prevention Service

Trend MicroT Spam Prevention Solution is a high-performance anti-spam application designed to protect the enterprise from spam at the gateway. It is integrated with Trend MicroT InterScan Messaging Security Suite, which provides comprehensive messaging security - antivirus, content filtering, and anti-spam - in one easy-to-manage platform.

Spam Prevention Solution is designed to defeat spam using heuristics rules technology-a technology that offers more adaptable and "future-proof" protection against the ever changing tactics of spammers.

Policy-based configuration options allow University administrators to assign variable catch rate sensitivities based on spam category and user groups, along with flexible Filter Actions for appropriate message disposition options. Spam Prevention Solution can delete, quarantine, tag based on spam likelihood level.

Heuristics rules technology monitors, evaluates, and identifies suspicious email traffic to determine a spam probability based upon collectively weighted and contextually evaluated characteristics. Testing was undertaken to ensure the product would provide the University with maximum spam capture rates with low false positives.

As messages pass through the system, the SPS heuristic filter applies thousands of rules against the message envelope, the header, and the content. Each rule is assigned a numerical value, and an equation is formulated based on the weighted significance and the combination of rules that are triggered. The result of this equation is the spam score.

SPS makes a decision on whether the message is spam or valid by measuring the spam score against the desired level of spam sensitivity. Setting the sensitivity higher causes more messages to be considered spam, since increased sensitivity means that a lower spam score will result in a message being considered spam. You can set the overall sensitivity of the heuristic spam filters, as well as fine-tune the sensitivity to different categories of spam.

Categories of spam

If the heuristic spam filter categorizes a message as spam, it will usually fall into one of four categories:

. Sexual content: Adult or pornographic material

. Racist content: Racially insensitive material

. Make Money Fast: Get-rich-quick material

. Commercial offer: Sale notices, coupons, and special offers

The Baseline Detection Rate and the category settings allow the system to derive a sensitivity level based on your company's tolerances.

The Baseline detection rate is used to determine the overall sensitivity to messages that are potentially spam. Regardless of how individual category sensitivities are set, the Baseline detection rate provides a general level of protection against spam. Increasing the setting of one or more of the categories increases the sensitivity to that type of content.

The Baseline detection Rate and category sensitivity levels are set independently, but parameters from both settings provide the final sensitivity level that determines whether the message is categorized as spam. Category sensitivity levels multiply the Baseline detection rate and increase the likelihood that a message that triggers a category setting will be considered spam.

If the spam score for a given message exceeds the sensitivity level of your policy, the message is considered spam. There are three exceptions to this:

. If the sender appears on the ' Approved Senders list', the message is never considered spam.

. If the sender appears on the ' Blocked Senders list', the message is always considered spam.

. If text in the message triggers a ' Text exemption filter' , the message is never considered to be spam.

The heuristic spam filter determines whether a message should be evaluated for each of the four categories before performing the actual evaluation. Changing a category sensitivity level will not have any effect unless the message is evaluated in that category.

Consider the following example of a partial message header from a message that was categorized as spam because it triggered the ' Commercial' category:

X-imss-result: Commercial_LeastConfident

X-imss-scores: Clean:0.0003 C:42 M:2 S:5 R:5

X-imss-settings: Baseline:4 C:3 M:3 S:4 R:3 (0.1000 0.3000)

X-pstn-settings: 3 (1.0000:3.0000) smCr

Understanding the imss-result line

The first line in the above example show the heuristic spam filter category that the message triggered. If a message does not trigger the heuristic spam filter, this line will say ' passed ' . In the above example, the message triggered the ' Commercial' category, and the level of confidence was ' Least confident' .

Understanding the imss-scores line

The second line above shows the spam scores assigned to this message. The first number is the Clean score, and the other four numbers represent the four categories. In the case of the message represented above, the ' Commercial' category score was 42, the ' Make money fast' score was 2, and the ' Sexual content' and ' Racially insensitive' scores were both 5.

Understanding the imss-settings line

The third line in the example represents the heuristic spam filter settings at the time the message was processed. The Baseline number represents the setting for the Baseline detection rate and the other letters represent the sensitivity settings for the categories. The final two numbers are the baseline threshold and the triggered category threshold. When evaluating messages, the heuristic spam filter first determines what category a message was most likely to fall into. In the case of this example, the category was ' Commercial' . You can verify which category SPS chose by checking the imss-scores line and seeing which category has the highest number.

Authorised by the Director, IT Resources
© University of Tasmania
Copyright and Disclaimers | Accessibility | Feedback, Suggestions and Questions