Email Filtering at UEL

To reduce the number of such email messages reaching recipients at UEL, all email messages received by the Exchange email system from our external mail gateway machines (i.e. any messages addressed to the @uel.ac.uk domain) will pass through the Surf Control mail filtering software. Email which is only addressed to internal recipients using the Outlook Address Book will not be filtered.

Maintained and updated daily, our Spam filters currently block around 50% of all incoming messages and our anti-virus software blocks a further 8%.

There are a number of rules used to scan a message and determine if it is spam. The following rules are applied in the order shown.

1. Executables
   Messages that contain executable attachments will be blocked. This is mainly intended as a back up to the anti-virus filters as viruses that travel via email typically contain malicious code that can activate as soon as it is read (The UEL Outlook configuration should prevent this happening, but the more layers of protection the better). If you need to send executable code via email, simply rename the filename extension to .txt before attaching to the outgoing message. You must also tell the recipient to change the extension back to the original before they can run it.

2. Anti-Spam Agent
   Blocks messages based on a pre-categorized database of content. This is updated nightly from the Surf Control website. No notification is sent to the sender of blocked messages.

3. Advertisement E-mails
   Blocks messages containing the ADV: advertisement tag. No notification is sent to the sender of blocked messages.

4. Spam Misspellings Dictionary
   A dictionary of keywords which are 'scored' according to each matching occurance in the message scanned. Every word in this dictionary carries a high score and any two such words (or 2 occurences of the same word) found in the message being scanned will result in that message being blocked. Anyone attempting to avoid the anti-spam filters by deliberately misspelling words will simply make it far more likely that their message will be blocked. No notification is sent to the sender of blocked messages.

5. Spam Dictionary
   A dictionary of keywords and phrases which are 'scored' according to each matching occurance in the message scanned. Every word in this dictionary carries a score according to the chances of it's appearing in spam messages. Many of these words may also appear in innocent messages and these will score low (e.g. 'discount' is scored 10), others which are much less likely to appear in innocent messages score higher (e.g. 'eliminate your debt' is scored 40). The threshold score which will cause a message to be blocked by this rule is 120. It will therefore take several combinations of words or phrases to achieve this score and thus ensure that only spam messages are blocked. No notification is sent to the sender of bocked messages.

6. Adult Dictionary
   Another dictionary of keywords and phrases which are 'scored' according to each matching occurance in the message scanned. Words in this dictionary are mainly related to sexual content and are typically scored between 30 and 50. This is one of the most difficult dictionaries/rules to maintain as people often use sex related words in humour or as swear words in otherwise innocent messages. This can cause messages that are not spam to be inadvertantly blocked. However, it would take several instances of any particular words (or combination of such words) to cause a message to be blocked. While it is not UEL's intention to impose censorship on email messages, it would assist greatly if people could avoid the use of words likely to trigger this rule. Senders will be notified that their message was blocked.

7. Spam Websites
   Another dictionary, but this one contains the addresses of know spam related websites. Any single instance of one of these addresses found in a message will cause the message to be blocked. Unfortunately spammers change their website addresses frequently so this rule is not as effective as it might appear at first glance. No notification is sent to the sender of blocked messages.

8. Remote Images
   A favourite trick of spammers is to send a small message which contains links to images on a website. The message content appears innocent, but the image which is loaded from the website when the message is opened could be anything from text displayed as a image to a pornographic picture. (Try right-clicking on a message which displays an image and select 'View Source'. You can then see how many words that appear on screen are actually in the email message and how many are part of the image). Any messages containing more than a single remote image will be blocked (We have to allow at least 1 image because many free email services attach remote images to messages as part of the signature). No notification is sent to the sender of blocked messages.

Notifying Senders

However, the adult dictionary rule will return a message to the sender stating
'This message has been blocked because it appears to contain words or phrases which might offend some people.
Please rephrase your message and resend it.

If you really must send email containing these words and phrases, please include the keyword 'UELNoScan' in the subject heading to bypass the spam filters.'

Some Do's and Don'ts

Don't include the whole message when replying. Only quote enough of the original message to put your reply into context. Some mail systems automatically add disclaimers to outgoing messages and these can include phrases such as 'received this message in error' which also often appear on spam messages. 1 or 2 such phrases will not cause the message to be blocked, but if a message has gone back and forth several times with a new disclaimer added each time it may eventually cause messages to be blocked.

Don't use ???? in messages. Multiple question marks are a typical indicator of spam. The system will block any message containing more than 3 '?' in sequence.

Missing Messages?

Please contact the IT Helpdesk on ext 2468, or email 'Helpdesk' for assistance. They will be able to check the filters for messages addressed to you and release them if required. If you can give an idea of the approx time the message was sent, or likely subject heading, that will assist in checking to see if the message has been inadvertantly blocked.

Bypassing the Filters

If all messages from a particular sender are being blocked, then it is possible that we can adjust the score of particular keywords to reduce the chances of innocent messages being blocked. If all else fails we can also add the sender address to a whitelist so that no messages from that source are blocked. This does however slow down the processing of all incoming mail and is therefore only used as a last resort.

We also have a 'recipients whitelist' which allows all messages to a particular recipient to bypass the filters. This does however slow down the processing of all incoming messages and is therefore only used as a last resort. The recipient will also have to make their own arrangements to deal with the spam that would reach their mailbox.

Updating the Filters