EITS Spam Control Strategy Frequently Asked Questions

1. Why is EITS combating spam on UGAMail?
2. How well are the anti-spam tools used on UGAMail working?
3. How were the three different applications that EITS uses to block spam on UGAMail (Realtime Block Lists, Greylisting, and SpamAssassin) selected?
4. What are Realtime Block Lists (RBL) and how do they work?
5. What is Greylisting and how does it work?
6. What is SpamAssassin and how does it work?
7. Can the use of the UGAMail spam filtering  tools cause legitimate email not to be delivered?
8. What should I do if I suspect that legitimate email is not being delivered to me?
9. Can individual faculty, staff, and students opt out of the spam filtering process on UGAMail?
10. Where can I go to learn more about using UGAMail?

1. Why is EITS combating spam on UGAMail?

EITS constantly monitors spam because of the problems that it can cause for students, faculty, and staff at UGA by clogging up email inboxes -- and because of the detrimental effect it has on the UGAMail system itself.  The rate of spam has drastically increased over the past several years and has risen to unprecedented levels in the past few months. 

According to an October 27, 2006, article that appeared in Security Focus News, estimates are as high as a 450% increase in spam over the 8 months preceding that article. The increase is due in part to the increased use of “botnets,” which are networks of compromised PCs, as the originating point for the spam. Instead of single computers sending out spam, spammers are using the resources of thousands of computers to send out millions of spam messages, which makes it harder to detect the source of the spam.  Spam is also increasingly more difficult to detect by spam filters since spammers are using embedded images and other techniques to get past the spam recognition programs. 

Top of Page

2. How well are the anti-spam tools used on UGAMail working ?

The tools used on UGAMail have resulted in a tremendous reduction in spam messages that would have otherwise found their way into user inboxes.  Based upon current data, these tools stop over 1.5 BILLION spam messages from reaching UGAMail inboxes annually. 

Data as of February 2007 indicate the following:
4.9 million	Estimated number of daily attempts to send email to UGAMail
-2.9 million	Blocked by RBLs on average daily
-1.0 million	Rejected by greylisting on average daily
-380 thousand	Delivered to users’ junk mail folders on average daily
620 thousand	Delivered to users’ inboxes on average each day

Top of Page

3. How were the three different applications that EITS uses to block spam on UGAMail (Realtime Block Lists, Greylisting, and SpamAssassin) selected?

EITS always completes a comprehensive evaluation and due-diligence assessment before deploying any major production software application.  This is a multi-step process that involves extensive research, consultation with peers in academia and industry, the use of IT consultants, and detailed testing.   Accordingly, we have identified and deployed three major industry-standard spam reduction tools to reduce spam on UGAMail.

1. Realtime Block lists (RBLs)
2. Greylisting
3. SpamAssassin 

These are all industry-standard tools, deployed according to best-practice standards, and are in use at many commercial and academic institutions worldwide.  Several of these institutions were contacted by EITS before deploying the tools here at UGA, and they all reported a substantial reduction in spam with very minimal problems.

Top of Page

4. What are Realtime Block Lists (RBL) and how do they work?

RBLs are lists maintained by subscription services that identify known spammers from their activity on the Internet.  The use of RBLs allows UGAMail to reject connections from these spammers. RBLs are typically updated several times each day. If a server has been listed as a likely spam host by an RBL that UGAMail uses, the email will be refused immediately.  The RBLs selected to protect UGAMail were chosen for their conservative approach and responsiveness to problems.  In the unlikely event that an email server is incorrectly identified as a spammer by an RBL it is removed from the RBL expeditiously.

Top of Page

5. What is Greylisting and how does it work?

Greylisting interacts with email servers sending email to UGAMail by temporarily rejecting email from the sender if email has not been previously received from that specific user account on that specific email server.  According to the Internet Engineering Task Force, a properly configured email server should attempt to send the message again after a short period of time. The vast majority of all legitimate email servers are configured this way.

Once the message is sent again from the originating server, the sender is added to UGAMail's internal database for a period of 45 days.  Most spammers do not have their servers configured to resend the email, which results in a great reduction in spam sent to UGAMail. 

All email sent from a ‘uga.edu’ address is exempt from greylisting. 

Top of Page

6. What is SpamAssassin and how does it work?

SpamAssassin is a computer program used for e-mail spam filtering based on content-matching rules.  A large set of rules are applied to determine whether an email is spam or not. To decide, specific fields within the email header and the email body are typically searched for certain regular spam expressions, and if these expressions match, the email is assigned a certain score.  The message is then routed to the mailbox[es] of the intended UGAMail user.  If the UGAMail recipient has his/her Junk Mail control turned on (see Anti-SPAM Quickstart for details), messages with a total score greater than 50 are routed to the Junk Mail folder.

Top of Page

7. Can the use of the UGAMail spam filtering  tools cause legitimate email not to be delivered?

EITS is aware of a few specific instances where expected email has not arrived for a few UGAMail users -- these are typically known as false positives when caused by anti-spam measures.  We take this very seriously and our goal is to eliminate false positives from occurring.  However, although we are diligent in minimizing false positives by following industry best practice, the only way to avoid them completely is to do no spam filtering.

Steven Baker, a senior writer for BusinessWeek, recently summed it up this way in BusinessWeek online, ”…strategists, struggling with spam detection, face a nasty choice: They either pelt us with lots of spam, or they take out a big chunk of it---including a certain number of false positives”.  Similarly, Andrew Lochart, director of product marketing with spam blocking service Postini was recently quoted in several online publications as saying "I don't think we're ever going to reach the nirvana of stopping 100 percent of spam with no false positives.”

How can false positives occur?

RBLs. In some cases legitimate email servers get erroneously listed on RBLs, even on those RBLs that take a conservative approach.  If this happens with one of the RBLs that UGAMail relies on, email from that server will be rejected until the sending server is removed from the RBL.  Generally the administrators of servers sending email to UGAMail find out quickly if their servers have been listed, since UGAMail indicates that fact in the bounce messages returned to the sending email server. Additionally, if EITS is made aware of these failures we can consult the RBL records to determine whether the server in question was blocked.  In some cases UGAMail gets blocked by RBLs used by other institutions or service providers.  When that happens it is quickly apparent to the UGAMail administrators, and EITS works to get UGAMail removed from the RBL as quickly as possible.

Greylisting. With greylisting in place, non-compliant email servers (those that will not attempt redelivery of email after receiving the initial temporary failure code) will not re-send email to UGAMail.  In most cases this is apparent to the sender, or the administrators of the sending server, since “bounce messages” from UGAMail alert them to that fact.  If EITS is made aware of these failures in a timely fashion, we can work with the administrators of the systems trying to send email to UGA to resolve the problem. Usually, the sending email server can be reconfigured to retry delivery, as it should according to established Internet standards (RFC 821).  If reconfiguration is not an option, EITS can exempt the remote email server from Greylisting  if the IP number[s] of the remote host[s] can be determined.

If a message is sent from a non-compliant email server, the email will not be delivered to the UGAMail user and an error code will be returned to the sending email server.  The sender of the original message may or may not receive a “bounce message” indicating that the email could not be delivered as a result of this error code.  Senders may not receive this notice if they have their own junk mail filters configured such that they never receive the “bounce messages,” and don't realize that UGAMail has sent a failure notice.  This creates the impression that the message vanished without a trace, when in fact the UGAMail servers tried to alert the remote email server of a problem that needed to be addressed.

SpamAssassin.  If you are not forwarding your email to another email provider, then the tool will treat email scored as spam by sending it to your Junk Mail folder unless you have instructed UGAMail to send the mail to another folder or delete it.  If you are forwarding email using the built-in UGMail forwarding feature, then any message with a spam score of 100 or greater will be discarded without forwarding.  For more information about UGAMail forwarding, see: http://eits.uga.edu/ugamail/help/fwd-filter.html

Top of Page

8. What should I do if I suspect that legitimate email is not being delivered to me?

Time is of the essence.  If UGAMail users suspect that an intended email message has not arrived, they should contact the EITS Help Desk as soon as possible (542-3106).  The UGAMail administrators have very detailed logs and upon request will attempt to locate any messages that seem to have gone astray.  However, due to disk space constraints only two weeks of logs are kept.  In the event that troubleshooting requires the cooperation of the administrators of remote email servers, they often face similar limitations with regard to logs of past events.

If you believe that you or those whom you support are not receiving emails (reports from colleagues, lack of response to emails you send), contact the EITS Help Desk as soon as possible.  In order to provide satisfactory service, we'll need the following details:

1. Your MyID, or the MyID that the email was supposed to be sent to.
2. The sending email address, so we can search for email coming from that user.
3. The time and date on which the email in question was sent.  As noted above, we only keep two weeks of logs, and the RBLs that we utilize are updated automatically, so the sooner we get your information the more likely it is that we will be able to help.

Top of Page

9. Can individual faculty, staff, and students opt out of the spam filtering process on UGAMail?

EITS has investigated additional options and plans to offer an alternative for faculty, students, and staff to individually select a less stringent spam filtering process when the next version of UGAMail is deployed later this spring. EITS will provide more information on this option when it becomes available this spring. Individuals who select this option, however, will likely have significantly more junk mail messages in their inbox.

Top of Page

10. Where can I go to learn more about using UGAMail?

http://ugamail.uga.edu