All email that travels through tcf.ua.edu or cinemastudies.org is checked for spam and viruses. Messages carrying obvious virus and network worm files are rejected and not delivered to the user. However, in an attempt to balance email security with email efficiency, we do not block spam messages outright, but we do mark suspected spam messages in such a way that the user may block it him or herself.

This document details how the user may configure his or her email client (e.g., Microsoft Outlook Express, Eudora, Netscape Mail, etc.) to recognize such spam markings. We also go into details at the end of this document about our virus scanning technique.

Welcome to the Assassinator of Spam

SpamAssassin automatically analyzes messages as they arrive at our system, checking features of both structure and content in a most sophisticated manner. The program assigns a score to messages that show a certain level of spam characteristics. The higher the score, the more likely it is to be undesired spam.

SpamAssassin is not perfect. On occasion, a desired message gets a high score, or a bona fide piece of spam scores low. Because of this, we have found that simply deleting all high-scoring messages as they travel through the system is ill-advised; occasionally a valid message would be deleted. A more prudent approach is to pass the spam score to the user and allow him/her to decide how aggressively he/she wishes to combat spam.

How To Combat Spam with SpamAssassin and Your Email Client

The key is to set up a filter or rule on your e-mail system. How do filters/rules work?

1. An message arrives at your computer--having been transferred from a distant machine to your computer's email software.
   • Common types of email software are Microsoft Outlook (and Outlook Express), Eudora, Netscape Mail, Pegasus, and Pine. These are all email clients that interact across the Internet with email servers.
2. Your email software looks at that message and inspects what is in its body (the text part of the message intended for human consumption) and its header (the normally hidden part that details how the message got to you and is read by the computer).
3. Your email software then processes the mail based on any filters/rules the user has created.
   • These filters/rules might, for example, look for all messages from Screen-L@bama.ua.edu (an email discussion group) and automatically put them all in an email folder labeled "Screen-L." Or a filter/rule might sound an alarm if a message arrives from TheBigBoss@example.com. There's no end to what filters/rules can do.
   • Note: Many email services that are read using a Web browser do not offer filtering. BamaMail (bamamail.ua.edu), however, does offer filtering, although it is not very sophisticated.

How do filters or rules work with SpamAssassin?

1. While traveling through our email system, messages are encoded with special SpamAssassin data. These data are concealed in the normally hidden email headers and do not affect the text of the message in any manner.
   • Click here to open a separate window containing sample header information.
2. Of special interest to spam fighters is this header:
   
   X-Spam-Level: ********
   
   The number of asterisks indicates the level of suspected spam in a message. In our sample, we see eight asterisks--indicating that this message scored over 8.0 in SpamAssassin's spam-scoring system. Anything over 5.0 is very likely to be spam.
3. The user may now create a filter by telling his/her email software to check the header for
   1. X-Spam-Level, and
   2. Then to check to see if the Spam-Level contains at least five asterisks (*****).
      • Tip: If you find spam is still sneaking through, you can reduce the number of asterisks to make your system even more sensitive to spam.
      • Another tip: If you're curious about how SpamAssassin arrived at this score, look at the X-Spam-Report header, which shows the specific tests run on that message and the resulting score.
        • How one views headers differs greatly among email software. Please see the documentation for your software for specifics.
4. If the filter finds that there are five asterisks, then it can be instructed to take some action. At the user's discretion, it can:
   1. Quarantine the message in a "spam" folder
      • This way, the spam is pushed immediately out of view whenever you check your mail. Every few days it is advisable to open the folder, check for valid messages, then delete the folder's unwanted contents.
   2. Immediately delete the message
5. The specifics of how each email software creates a filter or rule are available elsewhere on the Web:
   • Microsoft Outlook Express
     • Windows
     • Mac
   • Eudora
     • Windows (type "Spam-Level" into the Header box and "*****" in the contains box--without the quotation marks)
     • Mac (look under "Creating a Detailed Filter")
   • Netscape Mail
   • Pine
6. 'Course, if the filter does not find a Spam-Level of five asterisks or more, then it does nothing special to the message.

A Wee Bit of Virus/Worm Scanning

Our email system does only some very crude scanning for viruses. And it must be emphasized that this scanning must not take the place of virus protection on your own machine.

What we do is check messages for dangerous files attached to or embedded in them. If the system finds a dangerous one, the entire message is rejected. However, our method for identifying dangerous files is not to run a virus-checker on the content of the file. Instead, the system looks for files with suspicious names. So, you can see, the sophistication of our virus checking is pretty low.

What names do we check for? The system looks at the file's extension--the last three or four characters after the period--that indicate if the file can execute itself and do damage to your system. If the file's name has no extension (as with many Mac-produced files), the system passes it through.

File name extensions we check for and block:

• asd, bat, chm, cmd, com, dll, exe, hlp, hta, js, jse, lnk, ocx, pif, scr, shb, shm, shs, vb, vbe, vbs, vbx, vxd, wav, wsf, wsh

Such files have no place in email.

Please note that we do not block block files with the conventional extensions for Microsoft Office documents--e.g., doc, xls, ppt, and so on. Macros (small pieces of computer code used to automate word processing and the like) that run through these files are a common way of circulating viruses and worms.

Thus, our system does nothing to block macro viruses/worms.

We chose not to block MS Office documents because too many of our users need to circulate them.