Home > Security
> News & Services > Blocking
Spam at WHOI
Blocking Spam at WHOI
To improve the quality of WHOI's email service, CIS uses a number
of technical tools to reduce the volume of spam email that is
delivered to WHOI mail accounts. This document is a review of
these tools and the way they work, and the ways that WHOI email
users can find out more about their spam filtering.
What is spam blocking?
The term "blocking" refers to refusing to accept email
from particular IP addresses or networks. Spam blocking is like
a specialized firewall for email: when an address is blocked,
our mail servers refuse any email from it, for as long as it remains
blocked. We can block and unblock addresses as needed, so that
if an address starts emitting spam it can be blocked; and if WHOI
email users need to receive email from a previously blocked address,
it can be unblocked.
We use two different kinds of spam blocking: a locally-maintained
set of blocked addresses, and subscription services known as DNSBLs.
The first are directly maintained by CIS: when community members
report spam that comes from a given address, we inspect the logs
and use network tools such as WHOIS to see if that address is
also a source of non-spam email. If all the email it sends is
spam, we block it.
DNS-based Block Lists, or DNSBLs, are subscription services
on the Internet which maintain publicly accessible lists of spam
sources. There is a wide variety of DNSBLs available on the Net,
with all manner of policies as to what kind of spam sources get
listed. We use a group of DNSBLs whose policies are appropriate
for WHOI purposes. These block IP addresses which are owned by
spammers, or which have security holes that allow spammers to
relay spam through them.
When a site that is blocked tries to send email to a WHOI address,
our mail server refuses to accept it for delivery. This is the
email equivalent of marking the message "return to sender"
-- our mail server never deletes blocked email; it always bounces
it. Thus, if a non-spam message is inadvertently rejected by a
spam block, the message will be returned to the sender with an
informative message requesting the sender contact email@example.com
to report the
What is spam filtering?
"Filtering" or "content filtering" refers
to automatically scanning incoming email for textual patterns
which have been found in spam, and rejecting those messages which
contain them. Spam filtering is a built-in feature of the Postfix
mail server software that WHOI uses.
When community members report spam to CIS, one of the things
we do is to read through the spam message and identify patterns
that are likely to occur in spam, but are highly unlikely to occur
in non-spam messages. We test these patterns against incoming
email over a period of days to ensure that they in fact would
not block any legitimate email. Once we are sure of this, we put
them in the mail server's ruleset.
As with spam blocking, spam filtering causes the offending messages
tobe rejected by the mail server. That means that they are returned
to the sender as "bounce messages". The mail server
never simply deletes a message with no warning: when a message
is blocked or filtered, it is
always marked "return to sender" rather than thrown
in the trash.
Both blocking and filtering are automated. CIS staff do not
review the contents of incoming emails to see if they are spam
or not -- the only time we inspect emails for spam is when community
members report them to us via the firstname.lastname@example.org
What is virus filtering?
Virus filtering uses the same tools as spam filtering, but the
patterns that are scanned for are taken from the binary content
of viruses. Many viruses spread by email, and when we find out
about one, we try to stop it from spreading into WHOI systems
by using filtering.
On rare occasions, when a single IP address or network is emitting
large quantities of virus-contaminated email, we may use blocking
as well as filtering to deal with the viruses. These blocks tend
to be short-lived as most sites clean up virus-infected hosts
How can I find out what's being blocked?
Many community members have expressed interest in finding out
more about what email messages get filtered as spam from their
incoming mail. In response, CIS has developed a SPAM
digest service as well as customized
SPAM lists. The digest sends a list of filtered messages to
each employee daily (on a schedule determined by the individual),
whereas the lists are available to search at any time, using a
Check your own list of blocked messages for various time frames,
in 2 formats at spamlist links.
Access to these logs requires your WHOI email username and password.
You can only access the logs for spam messages that were sent
to your address. When you access this page, the Web server will
report various information on each message that was blocked or
One of the reasons we're making these services available is so
that you can double-check the work of our spam blocks and filters:
we want to be sure that no legitimate email is inadvertently being
rejected. If you spot anything in the spam rejection logs which
you suspect may have been
legitimate email, please use the 'Whitelist this sender' link
provided or contact email@example.com
to let us know!