CIS Home > Security > News & Services > Blocking Spam at WHOI

Blocking Spam at WHOI

To improve the quality of WHOI's email service, CIS uses a number of technical tools to reduce the volume of spam email that is delivered to WHOI mail accounts. This document is a review of these tools and the way they work, and the ways that WHOI email users can find out more about their spam filtering.

What is spam blocking?

The term "blocking" refers to refusing to accept email from particular IP addresses or networks. Spam blocking is like a specialized firewall for email: when an address is blocked, our mail servers refuse any email from it, for as long as it remains blocked. We can block and unblock addresses as needed, so that if an address starts emitting spam it can be blocked; and if WHOI email users need to receive email from a previously blocked address, it can be unblocked.

We use two different kinds of spam blocking: a locally-maintained set of blocked addresses, and subscription services known as DNSBLs. The first are directly maintained by CIS: when community members report spam that comes from a given address, we inspect the logs and use network tools such as WHOIS to see if that address is also a source of non-spam email. If all the email it sends is spam, we block it.

DNS-based Block Lists, or DNSBLs, are subscription services on the Internet which maintain publicly accessible lists of spam sources. There is a wide variety of DNSBLs available on the Net, with all manner of policies as to what kind of spam sources get listed. We use a group of DNSBLs whose policies are appropriate for WHOI purposes. These block IP addresses which are owned by spammers, or which have security holes that allow spammers to relay spam through them.

When a site that is blocked tries to send email to a WHOI address, our mail server refuses to accept it for delivery. This is the email equivalent of marking the message "return to sender" -- our mail server never deletes blocked email; it always bounces it. Thus, if a non-spam message is inadvertently rejected by a spam block, the message will be returned to the sender with an informative message requesting the sender contact to report the

What is spam filtering?

"Filtering" or "content filtering" refers to automatically scanning incoming email for textual patterns which have been found in spam, and rejecting those messages which contain them. Spam filtering is a built-in feature of the Postfix mail server software that WHOI uses.

When community members report spam to CIS, one of the things we do is to read through the spam message and identify patterns that are likely to occur in spam, but are highly unlikely to occur in non-spam messages. We test these patterns against incoming email over a period of days to ensure that they in fact would not block any legitimate email. Once we are sure of this, we put them in the mail server's ruleset.

As with spam blocking, spam filtering causes the offending messages tobe rejected by the mail server. That means that they are returned to the sender as "bounce messages". The mail server never simply deletes a message with no warning: when a message is blocked or filtered, it is
always marked "return to sender" rather than thrown in the trash.

Both blocking and filtering are automated. CIS staff do not review the contents of incoming emails to see if they are spam or not -- the only time we inspect emails for spam is when community members report them to us via the address.

What is virus filtering?

Virus filtering uses the same tools as spam filtering, but the patterns that are scanned for are taken from the binary content of viruses. Many viruses spread by email, and when we find out about one, we try to stop it from spreading into WHOI systems by using filtering.

On rare occasions, when a single IP address or network is emitting large quantities of virus-contaminated email, we may use blocking as well as filtering to deal with the viruses. These blocks tend to be short-lived as most sites clean up virus-infected hosts promptly.

How can I find out what's being blocked?

Many community members have expressed interest in finding out more about what email messages get filtered as spam from their incoming mail. In response, CIS has developed a SPAM digest service as well as customized SPAM lists. The digest sends a list of filtered messages to each employee daily (on a schedule determined by the individual), whereas the lists are available to search at any time, using a browser.

Check your own list of blocked messages for various time frames, in 2 formats at spamlist links.

Access to these logs requires your WHOI email username and password. You can only access the logs for spam messages that were sent to your address. When you access this page, the Web server will report various information on each message that was blocked or filtered.

One of the reasons we're making these services available is so that you can double-check the work of our spam blocks and filters: we want to be sure that no legitimate email is inadvertently being rejected. If you spot anything in the spam rejection logs which you suspect may have been
legitimate email, please use the 'Whitelist this sender' link provided or contact to let us know!