Email, Spam, and Filtering

Contents:

About Email Spam

Unsolicited email is most often called "spam." Because the marginal cost of sending each message is negligible, bulk emailers can send thousands or millions of messages with the knowledge that a small percentage will respond to a commercial offer. The economic costs are imposed primarily on the recipients, who must spend time sorting through their email to determine which messages are legitimate. The content of unsolicited messages can often be considered offensive, and the most abusive bulk emailers are not concerned with providing the ability to opt-out.

ProofPoint Anti-Spam Protection Server

Proofpoint Protection Server is a commercial email filtering product which the CS Department has deployed in order to reduce the quantity of spam, viruses, and other undesireable email reaching our users.

This document is intended to familiarize you with the way Proofpoint works, and to help you customize your Proofpoint configuration so that you can get optimum benefit from it.

Please be aware that, while we have done our best to tune the Proofpoint software to our environment before deployment, all spam filters make mistakes, so please do not blindly trust Proofpoint, as you could end up missing email which may be important to you.

In a hurry? If you are in a hurry, and are minimally concerned about customization, false positives, or other technical details, here is a very simplified summary:

  • Watch your inbox for emails from the PPS software (the subject will start with "End User Digest:"). You will get one at 0800 hours (8 AM) each weekday morning.
  • Inside these emails, look over the list of messages that have been quarantined.
  • If any look like they may not be spam, click the 'Release' link on the left of the message. The message will then be delivered to your inbox.

If you have questions about the Proofpoint software that are not answered by this document or by the CS Guide Email FAQs, please email CS Staff with your question and we will be happy to help. We would also be very interested in hearing your comments on how we can improve this service.


Using Proofpoint Protection Server

You do not have to do anything to start using the Proofpoint software. It is automatically enabled for all CS Department email users, and the default configuration will likely be sufficient for most users.

When an email is sent to your account which the Proofpoint software decides is spam, it will be intercepted (not delivered to your account) and placed in the Proofpoint "Quarantine". Every weekday morning at 0800 hours (8 AM), if there is new email in your quarantine, you will receive an email from the Proofpoint software listing that email. The quarantine emails will look similar to this:

If all of the messages listed are definitely spam, then you can safely delete the digest message, as messages are automatically deleted from the quarantine after two weeks. However, it is often a good idea to keep at least your most recent digest in case you need to use one or more of the links in it. The reasons for this will become more clear when the meanings of the links in the message are explained.

Per-Message Links:

  • Release - This link simply releases the message from the quarantine such that it is then delivered to your inbox. If you are also using SpamAssassin to filter your email, be sure to check your 'caughtspam' folder if you don't receive the message within a few minutes.
  • Safelist - This link will add the sender of a given message (the address in the 'From' column) to the list of addresses which will, in the future, be able to send you email without being intercepted by the Proofpoint software. If you are going to Safelist a sender, be sure to do it before you release the corresponding email, or the software will fail to add the Safelist entry.

    If you do not have a Safelist link, simply login directly to the Proofpoint server using your Unix username and password: https://pps.cs.princeton.edu:10020/ to manage your account manually.
     
  • Not Spam - This link will send information about the email to Proofpoint Inc. to be processed in future revisions of their spam detection rules. Clicking this link WILL send information about the message in question to a commercial company that is not part of Princeton University! If you are going to report a message to Proofpoint Inc, be sure to do it before you release it, or the software will no longer be able to send the report.

Per-Digest Links:

  • Request New End User Digest - This link will cause the Proofpoint software to regenerate a full digest for your account. This digest will include all messages currently in your quarantine. This link can be useful if you miss or accidentally delete a digest, or if you are expecting an important message that you think may have been intercepted.
  • Request Safe/Blocked Senders List - This link will cause the Proofpoint sofware to email you a list of senders who you have explicitly Safelisted or Blocklisted.
  • Manage My Account - This link will take you to a minimal web interface to the Proofpoint software, where you can make various adjustments to your Proofpoint configuration, such as Safe/Blocked Senders lists and your filtering policy (you can opt-out).

    If you do not have a Manage My Account link, simply login directly to the Proofpoint server using your Unix username and password: https://pps.cs.princeton.edu:10020/ to manage your account manually.

Note that Safelist and Blocklist entries are only effective against the envelope sender address on the message, as distinct from the address in the "From:" header. The envelope sender address may not always be visible to you, but can sometimes be found in the "Return-Path:" header of a message. If you have repeatedly tried blocklisting a particular address, and think you may be having trouble because of the envelope sender address being different, you can contact CS Staff for help with the issue.

Opt'ing Out of Proofpoint Protection

Important Note: If you are forwarding your CS email to a non-CS mail system, you must not opt out of Proofpoint Protection. Doing so may cause CS Department mail servers to look like the sources of spam being sent to other sites, which results in deliverability problems for the whole department. Please see the Email FAQ for an alternate suggestion instead of forwarding.

If the Proofpoint software does not work well for you, or you simply do not need or want spam protection, you can set the Proofpoint software to not intercept your mail. It will still add headers to the message to indicate whether or not the message would have ordinarily been intercepted, and so is not a pure form of opt-out, but it will not intercept messages or maintain a quarantine for you. To make this setting change:

  1. Click the Manage My Account link in one of your Proofpoint digests.
  2. On the resulting page, click on Profile in the lower-left corner.
  3. Under My Settings, change the setting for the question "What type of spam detection do you want? Please select a policy from the list below."
    • Tag Only; Don't Interfere - This is the equivalent of opt-out.
    • Global Spam Policy (Quarantine Spam) - This is the default setting, and enables the quarantine as described above.

If you do not have a Manage My Account link, simply login directly to the Proofpoint server using your Unix username and password: https://pps.cs.princeton.edu:10020/ to manage your account manually.

Before you opt out, though, CS Staff would very much appreciate an opportunity to address any issues you may have with the software. If it is doing something you don't like, or if it is not doing something you think it should, please let us know, as other users may feel the same way, and the issue may be correctable.

Why am I getting multiple Proofpoint digests, and what can I do about it?

There are a few possible reasons why you might receive more than one Proofpoint digest per day. In no particular order, here are the most likely cases:

  • You are receiving digests from both your CS and OIT email accounts. - OIT and CS have both deployed Proofpoint, and have necessarily done so separately. If you want to receive only one set of digests per day, you should opt-out of the quarantine feature for Proofpoint either at OIT or CS. Since both servers use essentially the same filters, this should result in all the same messages being caught by the server which you don't opt out of. Which service you opt-out of will depend on your personal preference and how you read mail.

    To opt-out of OIT's quarantine, please refer to their documentation at http://www.princeton.edu/spam/. Note that OIT does not offer a complete opt-out, just as we don't in CS. Setting your Proofpoint config to the "Score Only" option is functionally equivalent to an opt-out, though messages will still have headers added indicating Proofpoint's decision of whether the message is spam or not.

    To opt-out of the CS quarantine, please follow the instructions above in the Opt'ing Out section of this document.

  • You are receiving multiple digests each day from the CS Proofpoint server. - This is possible if there are aliases or mailing lists which point to your address. In some cases, CS Staff can adjust your entry in the Proofpoint server to limit the number of digests you receive. Please email csstaff@cs.princeton.edu for assistance.

Proofpoint removed an attachment from an email message.

Proofpoint removes file attachments based on the extension according to this rule:

Extension equals "386" or "3gr" or "add" or "ade" or "asp" or "bas" or "bat" or "chm" or "cmd" or "com" or "cpl" or "crt" or "dbx" or "dll" or "exe" or "fon" or "hlp" or "hta" or "inf" or "ins" or "isp" or "js" or "jse" or "lnk" or "mdb" or "mde" or "msc" or "msi" or "msp" or "mst" or "ocx" or "pcd" or "pif" or "reg" or "scr" or "sct" or "shs" or "shb" or "url" or "vb" or "vbe" or "vbs" or "vxd" or "wsc" or "wsf" or "wsh"

Notes:

  1. It is not possible to opt-out of executable attachment deletion.
  2. In addition to deleting based on file extension, Proofpoint will analyze the content and delete executables regardless of the extension.
  3. Proofpoint will look inside archives (e.g., tar, gzip, zip) and delete executable files.
  4. Deleted attachments are not recoverable.

See File Transfer for methods of transferring files without using email.

Proofpoint missed some spam. What can I do?

The CS Department filters quarantine almost 18,000 spam messages per day, as of October 2010. Inevitably, though, some spam messages will make it past the filters. There are a few options for dealing with missed spam. Obviously, one solution is to simply delete it. If that's not enough for you, here are a few more possibilities:

  • If you know how to forward the message with all original headers intact, you can forward it to Proofpoint's False-Negative address directly: fn@proofpoint.com
  • In Zimbra webmail, if you click the "Spam" button, this reports false-negative spam to Proofpoint, just as above.
  • For repeat offenses from the same address, you can add them to your Blocklist in the Proofpoint End User interface: https://pps.cs.princeton.edu:10020/
  • If you're comfortable with filtering, you may wish to setup your own filters in Zimbra to catch particular messages.
  • Finally, if you are quite serious about reporting all of your spam, you can ask CS Staff to include you in the Spam Reporting group. Once we do this, all of your incoming email - both spam and non-spam - will be listed in your Proofpoint Digest. In this way, you can click "Report Spam" links next to your missed spam messages to easily report them to Proofpoint.

Tags: