SIUMED Email Scanning
Information Resources maintains software on our mail servers to help identify junk (SPAM) and malicious (virus) email. IR makes every effort to avoid modifying email messages and to notify senders when an email is rejected for security reasons. Springfield SOM users should contact their LAN administrator or desktop support personnel for assistance. Carbondale SOM users should contact IRC at firstname.lastname@example.org 618-453-1514. Questions or comments about our email system should be directed to email@example.com.
Attachments which commonly carry virus payloads are removed from email messages and replaced with a warning. For example, a message containing an attached file named test.exe will result in the following message:WARNING: This e-mail has been altered by the SIUMED Email Scanner. Following this paragraph are indications of the actual changes made. For more information about SIU School of Medicine's email policy, contact firstname.lastname@example.org An attachment of type application/x-msdownload, named test.exe was removed from this document as it constituted a security hazard. If you require this document, please contact the sender and arrange an alternate means of receiving it.
IR subscribes to services that report known SPAM senders, and IR, in turn, blocks (blacklists) e-mail from those sources. Because these senders change frequently, the blacklists are continuously updated, but there are lag times before a new SPAM source is detected and reported. IR also uses SpamAssassin to flag suspected junk email. NOTE: These flags are useless, unless users have configured email-filters to process mail based on the SPAM score. SpamAssassin uses a series of heuristic tests on mail headers and body text to identify spam. Each message is given a score based on the number of tests which are positive. The higher the score the more likely the message is unsolicited email. SpamAssassin is configurable in various ways, but it is an automated flagging mechanism. It is quite possible that real emails will be flagged with the special header, just as it is possible that junk mail messages will get through without being flagged. Mail which has been flagged as spam will contain two headers that are useful for filtering: (To view the X-Spam-Score of a message in Thunderbird, click View -> Headers -> All)X-Spam: yes X-Spam-Score: ********* (9)
The X-Spam header will be added to any message which scores over the default (conservative) threshold of 5. The X-Spam-Score will have a series of "*"s equal to the numeric score of the message. This header allows individual email clients to set their own minimum score for spam. (See below for filtering details)
IR recommends you use the X-Spam headers to filter email into a separate folder. That way, you can periodically review the folder to make sure no legitimate mail was flagged by mistake and bulk delete the messages in the folder. IR STRONGLY discourages clients against automatically deleting spam via filters in your mail client. You run the risk of deleting legitimate non spam email. If this does happen, IR does NOT have a way to restore deleted messages. IR provides instructions for Netscape (our officially supported email client). If your department uses Microsoft Exchange please contact your LAN administrator for assistance. If using another client see your software documentation for help setting up filters.
All email handled by IR mail servers is scanned for malicious payloads (virii). An "X-Virus-Scanner" header is added to each scanned message which shows the McAfee version used to scan the message. Email which can clearly be identified as a virus is logged and discarded, neither the sender nor recipient is notified. Payloads which might contain a virus are delivered to the intended recipient with the following changes: 1) Additional headers are added to the message. 2) The suspect attachment is renamed to an "inert" filename and mime type 3) A warning message is prepended to the message called "WARNING.TXT". IR has decided to rename rather than remove potential virual payloads. This allows LAN administrators and desktop support personnel to recover attachments that have falsely alerted without IR's intervention.
Here is an example of a possible virual payload that has been modified. (in this example the message attachment "Readme.bat" was infected with the W32/Klez.h@MM virus)-- HEADERS X-Virus: W32/Klez.h@MM found X-Virus-Report: : Found the W32/Klez.h@MM virus !!!-- MESSAGE WARNING: This e-mail has been altered by the SIUMED Email Scanner. Following this paragraph are indications of the actual changes made. For more information about SIU School of Medicine's email policy, contact email@example.comAn attachment named 'Readme.bat' was converted to 'defang-1.binary' because its contents may pose a security risk or contain a virus. If you have questions about recovering this file or the meaning of this message please contact your Desktop Support Person or LAN Administrator
Do not be alarmed if you receive an email message which appears to be sent from your email account. Many virii select a random email address from the infected machine's addressbook and pretend to be this sender (the Klez virus exhibits this behavior). If you receive an email with the above warning message the safest action is to delete it. If you have questions or problems please contact your desktop support personnel or LAN Administrator.
Client Side Filtering
Instructions for other clients