Connecticut State Colleges & Universities
IT Support Center

Anti-Spam FAQ

Update August 2016:We are in the process of moving our Anti-Spam protection from Proofpoint to Microsoft Office 365, therefore your mailbox may be protected by one or the other or both during the migration.

The questions below generally relate to the Proofpoint End User Digest. Refer to the Office 365 Email Security page  for questions related to email security features in Office 365.

Questions:


Answers:


  •   Can I export my Safe/Allow list out of Proofpoint and import into Office365?
  • No. The ability to export your Safe or Block list out of Proofpoint doesn't exist, however you can have them emailed to you and you can decide if you want to add to your Office365 Safe Recipients/Blocked Senders list. 

    To get your Safe/Blocked list, you can either request your Safe/Block list be sent to you from a Spam Digest you had received in the past by clicking "Request Safe/Blocked Senders List", or you can login using your email address to Proofpoint's Manage My Account: https://managespam.ct.edu:10020 and request one.

    We do not recommend re-using your Block list as block lists are time-dependent. We suggest rebuilding your block list as you receive unwanted email in Office365. However, you can refer to your block list to see if you may want to import items into your Office365 Junk list.

    Look at your Safe List to determine if there are any you would like to add to your Office365 Safe Recipient list. The options to manage your Safe Recipient/Blocked Senders list in Outlook is under "Junk E-mail Options"

  •  I've received a phishing warning message in an email that appears to be from a commnet.edu/ct.edu address. Why?
  • Some viruses try to trick users into opening an attachment or visiting a website by making an email message appear to come from the user's local system. You may see email messages that appear to come from "administrator@commnet.edu" or "system@ct.edu" that ask you, for example, to "open the following attachment for your new password so that you can access your files." These fake emails try very hard to get you to believe the email came from your local system so you click the link and go to a bad site where they will attempt to steal your personal information. This is known as phishing. Sometimes the site you visit even looks like real sites - your main login page, a bank or a real store.

    Virus writers can make their email appear to come from virtually any email address and can say very convincing things in the body of the email so that you think it is really a legitimate email. A common fake email we see is an email from administrator or help desk that tells you your mailbox has exceeded a limit and you need to click a link to update your account.

    In order to protect you from these tactics, when the anti-spam software detects that a message is being sent to one of our users from outside our system, yet has a "commnet.edu" or "ct.edu" address as the "From" address, it will attach the email and put the following message in the body of the email as a warning to the user:

    ------------------------------------------------------------------------------------------
    This notice is for your protection against phishing attempts, please read on.
    -------------------------------------------------------------------------------------------
    THE ATTACHED EMAIL CAME FROM OUTSIDE THE CONNSCU SYSTEM The attached email was from outside the ConnSCU network, yet the sender's email ends with "@ct.edu" or "@commnet.edu" making it appear it was from our network.

    WHY DO I NEED TO KNOW?
    A common tactic used to "phish" for personal information is to send an email making it appear as if it came from our network (i.e. the sender's email address ends in commnet.edu or ct.edu) and asks you to provide personal information (username, password) or click a link to fix a problem (mailbox is full, account was changed, etc). To alert you not to be fooled in cases where email is intentionally trying to trick you into providing personal information, we added this warning to these emails.

    CAN THIS BE A LEGITIMATE EMAIL?
    Yes, in certain circumstances, email is sent from external services (surveymonkey, Constant Contact, etc.) or outside services may be used by certain departments to send email blasts to their users. The email is made to appear to have come from a ConnSCU email address (i.e. @ct.edu). These types of emails are expected and you can open them. However, be cautious when you see this warning when an email asks you to provide personal information or click on a link to resolve an issue as described above as you know it came from outside our network. Be vigilant and ask your local IT before providing personal information like username or passwords when you receive a request via email with this warning on it.

    Note that this message will also appear on emails from a listserve when you or anyone from ConnSCU sends an email to the list.

    LEARN MORE
    More information can be found at: http://supportcenter.ct.edu/Service/anti-spam-faq.asp#Forged

    If you still have questions or concerns, please contact your local IT department.
    -----------------------------------------------------------

    Any email that appears to come from an "admin-like" commnet.edu or ct.edu account that also contains this message, is most likely fraudulent.

    Since there are legitimate situations where this may occur as described in the warning, we allow the end user to decide what to do with these types of messages instead of assuming they are all fraudulent. That's why you get the warning.

    The original email message (a .msg file attachment) is attached to the warning and can be opened. As always, you should be cautious of any attachments the original message has and should make an educated decision on whether to open the attachment or not.

  •  How do I manage my safe and blocked lists?
  • Complete steps are found in the Anti-Spam Digest Help Anti-Spam End User Digest Help document, but here is a quick 1-2-3 of how to add an entry to your safe or blocked sender's list:

    1. Use this link to go directly to your "Blocked Senders List" page of your Manage Spam Digest.
      -OR- Use this link to go directly to your "Safe Senders List" page of your Manage Spam Digest.
    2. Then, login with your email address and your AD password.
    3. Enter the email address (bob@abc.org) or domain name (i.e. abc.org) and click Save.
    You can bookmark the above two links for quick access directly to the Safe and Blocked Senders List pages. But remember that both functions are available from your Manage Spam Digest page which can also be bookmarked.
  •  How do I request a full spam digest?
  • Complete steps on how to request a Full End User Digest are outlined in the Anti-Spam End User Digest Help document, but here is a quick 1-2-3 of how to request a full End User Digest:

    • If you still have an End User Digest in your inbox, you can simply click the "Request New End User Digest" link found at the top of your End User Digest.
    • -OR- Use this link to go to your Manage Spam Digest page and login with your email address and your AD password. Then, under Options at the top, click "Request Digest".
    Check your inbox for your Full End User Digest.
  •  How do I get a message's Full Internet Headers?
  • When asked to provide a message's Full Internet Headers:

    Follow these simple steps for Outlook 2010 and later.

    1. From Outlook, double click the email so that it opens the email content in it's own separate window.

    2. In the separate window that opened showing your message content, make sure you are on the Message tab and then look in the Tags section - click the arrow icon in the lower right hand corner to open the message's Properties window.

    3. At the bottom of the Properties window, you'll see an Internet Headers field. Click anywhere inside that field, press Ctrl-A to select all the text, then press Ctrl-C to copy. You may close the Properties window.

    4. Now simply forward the message with the included Internet headers by first clicking Forward on the selected message, then click inside the body of the forwarded message and press Ctrl-V to paste the Internet Headers that were copied in the previous step.  Forward that message to BOR-SupportServices@ct.edu

    Follow these steps when in Office365:

    1. Select the message by either double clicking the message or viewing the message in the message preview.

    2. To the right of the message's information (Sender, Date, Recipients) you'll see a thumbs up icon and a drop down to the right of Reply options. Click the drop down arrow and select "View Message Details"

    3. Wait for the Message Detail page to populate then click inside the window. Copy the Message Headers and using Ctrl-A to select all and Ctrl-C to copy. Click Close.

    4. Click the down arrow again and this time select Forward, click Ctrl-V to paste the headers you just copied into the body of the forwarded message. Forward that message to BOR-SupportServices@ct.edu

     

     

     

     

     

  •  How does the Anti-Spam software work?
  • As email enters or exits via the Internet, it passes through an anti-spam filter. The anti-spam filter uses a complex algorithm to determine if an email is spam or not. Email can be rejected immediately if it is sent from known spam addresses. This accounts for close to eighty percent of our mail. As each mail is examined by the algorithm, a spam score is assigned to the message on a scale from 0 (not spam) to 100 (spam). Based on the spam score, an email message is then put into one of three categories:

    • Spam: spam scores between 98 and 100
    • Probable Spam:  spam scores between 50 and 97
    • Not Spam:  spam scores between 0 and 49

    Besides spam content, mail messages are also checked against a defined set of connection thresholds and criteria. An example of a connection threshold would be if a person on the Internet sent 7,000 copies of an email to commnet.edu users or attempted to open 500 concurrent connections to our mail servers. These would exceed a connection threshold that are defined to protect our mail servers from abuse or denial of service attacks.

    Twice a day, you will receive an email message from "SpamDigest@commnet.edu" which contain your quarantine. The quarantine contains a list of email messages that have been classified as Probable Spam. This email message is called an End User Digest. The email messages listed in the End User Digest have been quarantined and have not been delivered to your inbox.

    Click here to see a sample End User Digest.

    Note that messages classified as Spam are immediately deleted since they are, without a doubt, spam and there is no need to list them in the End User Digest. Not having spam clog the End User Digest makes it much easier for the end user to identify messages that fall into the middle category of "probable spam". A majority of "probable spam" is still going to be spam, but with a lower spam score, therefore will be listed in the End User Digest to give the end user the ability to review and release messages if desired.

    Messages classified as Probable Spam are what you will see in your End User Digest. Messages classified as Not Spam are delivered as expected to your inbox.

  •  How often do I receive End User Digests?
  • You will receive an End User Digest in your inbox twice a day, Monday through Friday at 8:00 AM and 3:00 PM. You will not receive an End User Digest if none of your mail has been determined to be spam  (this is an "empty digest"). Note that you may have configured your anti-spam settings to have "empty digests" sent to you.

    The End User Digest displays a list of email messages that have been added to your quarantine since the last time you received a digest. They are sorted by their spam score so email messages that are more likely to be spam will be at the bottom of the list.

    At anytime, you may request a digest that contains a list of all messages in your quarantine. The Full End User Digest is sorted by the date the email message was received. Steps on how to request a Full End User Digest are outlined in the Anti-Spam End User Digest Help document. Other than clicking the link to request a Full End User Digest from a previous Spam Digest you had in your inbox, you may click on this link to manage your anti-spam settings and request a Full End User Digest:

    https://managespam.ct.edu:10020

    Click here to see a sample End User Digest.

  •  Why am I receiving multiple End User Digests at one time?
  • If you are a member of a mail distribution list and that list receives spam, all members of the list will get an End User Digest that lists the message that were quarantined for that distribution list. The actual distribution list name (email address) is displayed to the right of the ConnSCU logo at the top of the End User Digest. 

    If you receive an End User Digest for a mail distribution list, you should report this to your local IT department. Please provide the actual list name (email address) that is displayed to the right of the ConnSCU logo at the top of the End User Digest. Once the Proofpoint administrators have made the appropriate change, individual members of the mail distribution list will no longer receive a separate End User Digest for that list.

    NOTE: Local IT Admins will work with the owner of the mail distribution list to determine who will manage the spam for that distribution list and will need to open a request with BOR Support Services to have that user take spam ownership for that distribution list in Proofpoint.

  •  What can I do with an End User Digest?
  • When you receive your End User Digest in your inbox, you can quickly review the subjects, spam scores and the sender's email address of messages in the quarantine. No further action needs to be taken on the spam that used to clog your inbox. Messages will automatically be removed from your quarantine after 7 days if no action is performed.

    If you wish to release a message from your quarantine, you may do so without the aid of a system administrator by following the steps outlined in Anti-Spam End User Digest Help document.

  •  How long does a message stay in the quarantine?
  • Messages in the quarantine will automatically be deleted in 7 days if no action is taken to retrieve the particular message.

  •  How much mail is spam vs. not spam?
  • Reporting performed on the email flow revealed that currently 94% of our email is rejected before even reaching our inboxes.  The following 2 charts detail  the breakdown of our email::

    Back in 2006, Spam accounted for 69% of our mail! Most of our mail today is blocked by looking at the sender's IP address and blocking those that come from IP addresses that are known to only send spam. A small percentage of mail being sent to us is classified as spam by looking at the content and a small percentage of what is left makes it into either your quarantine or in your inbox.

    The anti-spam solution is making a difference in everyone's inbox by removing messages determined to definitely be spam and quarantining for review only the mail that could potentially be spam. Over a period of 30 days, that's close to a billion messages that do not have to be delivered to our inboxes!

  •  Why am I still receiving spam in my inbox?
  • Even though the anti-spam software is filtering close to 300,000 messages a day, you may still receive spam that gets classified as Not Spam and is being delivered to your inbox. Our goal in implementing the anti-spam filter, is to reduce the over 90% of mail that is definitely spam and is classified with the highest spam scores. It is impossible to capture 100% of the spam without misclassifying a percentage of real email as spam. This misclassified mail is referred to as a "false positive" when a real email is accidently classified as spam.

    Therefore, you may still receive a small percentage of spam in your inbox that is mislabeled as Not Spam. The anti-spam filter adjusts it's spam filters over time "learning" new spam definitions and will eventually correctly identify it as Spam. Therefore, you do not need to report spam that you see in your inbox to anyone as a small percentage of spam is expected.

  •  What is the Safe/Blocked Senders List?
  • Safe and Blocked Senders Lists are lists of email addresses that you want to have handled differently. Email addresses on your Safe List will never be quarantined in your spam quarantine or removed, even if it has been classified as Spam or Probable Spam.

    Email addresses on your Blocked List will never be sent to your inbox, even if it has been classified as Not Spam. Click here to see a sample Safe/Blocked Senders List.

    You can request a copy of your Safe and Blocked Senders Lists or  add or remove email addresses from either list at any time. Steps on how to request a copy of your Safe/Blocked Senders List and add entries onto either list are outlined in the Anti-Spam End User Digest Help document.

  •  How Should the Blocked Senders List be Used?
  • Blocked Senders Lists are used to block legitimate but undesirable bulk email (such as newsletters, etc.) that you've tried to opt-out of but continue to receive regular mailings from.

    You may think to use Blocked Senders Lists as a way to combat the small amount of spam that makes it's way to your inbox. In fact, Blocked Senders Lists are ineffective when used this way. Because spammers consistently change who the spam comes from (i.e. you may see a spam that comes from vaigar@userpost.isp.district.de one day and cialus2@userpost.isp.district.de the next). Both might appear to come "from" president@commnet.edu and adding the "from" of that spam to your Blocked Senders Lists will not stop future forged spam such as when they make it appear to come "from" vicepresident@commnet.edu. Spammers choose who the message appears to come from out of a hat and it's most likely never going to be the same thing twice so blocking it is ineffective.

    The best method to fight that small amount of spam, is to just delete it from your inbox. Over time, the anti-spam software will take care of the spam by learning the characteristics of how it made it past the filter.

    Only use the Blocked Senders List as a way to block newsletters, mailing list, etc. that are legitimate (i.e. not spam) but are undesirable. If you wish to add an email to your Blocked Senders List, just copy and paste the email you see in the "from" field from a newsletter email into the list and any mail that appears to be coming from that mail will be blocked in the future.

  •  I used to have Safe/Blocked Senders in my list - where did they go?
  • Safe/Blocked Senders Lists may be removed if changes to your account occur in the AD environment. Safe and Blocked Senders lists are attached to your email address in the Anti-Spam user database. Each night, the user database is created from active accounts in the college's AD environment. In order to keep the user database up-to-date when accounts are removed or modified (such as when someone gets married and changes their email address), it is possible for your account to be removed from the user database if it is not found in the AD environment (or is inactive).

    When accounts are removed from the Anti-Spam user database, it removes all Safe and Blocked Senders lists for that user as well. If your account is re-added later, you will begin to get End User Digests and be protected by the anti-spam software, yet your Safe and Blocked Senders list are lost from when your account was removed/renamed.

    This isn't such a bad thing, because most entries in Blocked Senders Lists age out over time and hence entries you added last year are probably ineffective by now. You would have to recreate your Safe Senders/Blocked Senders List if they are removed.

  •  What is the check box next to each email address in my Safe/Blocked Senders List?
  • This does not indicate whether an email address in your Safe or Blocked Senders List is active. It is used to select email addresses in order to edit or delete entries from your list.

    If you want to edit an email address, check the check box next to the email address and select Edit in the menu bar at the top. You will then be able to edit the selected email address.

    If you want to delete a single or multiple email addresses, check the check box next to the email addresses you want to delete and select Delete in the menu bar at the top of the window. All the entries that were selected are then deleted.

  •  What about lost email?
  • Depending on which spam category your email message was placed into, your message will either be found in your inbox or in your quarantine. Only mail messages that have the highest spam scores (98 - 100) are removed from the system. Any messages that may be spam or could be spam are sent to your quarantine for review. You will receive an End User Digest in your inbox twice a day with all your messages that are in your quarantine since you last received a digest, if any.

    If you identify a message in the quarantine that is not spam, you can release it from the quarantine area and it will be sent to your inbox. If you want, you can also add users to your own Safe list so that email from these users will never be tagged as spam. Steps to perform both of these actions are outlined in the Anti-Spam End User Digest Help document.

  •  What kind of attachments are stripped and why?
  • The Anti-spam software strips very large attachments as well as certain file types that are known to be inherently insecure or are commonly used to spread viruses. Most of the file types are not commonly used in typical email communications for sending pictures, videos, etc. They are typically system files such as .exe, .dll, .inf, .pif or .scr files so stripping these files most likely will not effect everyday email communication. But you may run into certain file types such as .mdb files that are used in classroom settings that are also stripped due to their inherent insecurity.

    For security reasons, we do not list all the file types that will be stripped, yet you will know if it was stripped because a footer will be added to the message body similar to this text:

    ------------------------------------------------------------
    NOTE: This email included an attachment that has been stripped due to the inherent security risk associated with certain types of file.
    For more information see the Anti-Spam FAQ item: http://www.commnet.edu/it/security/anti-spam-faq.asp#Attachments
    -------------------------------------------------------------------

    If a compressed archive (.zip, .rar) contains files that will be stripped, the entire archive will be removed so compressing them will NOT allow it to pass the filter.  Due to how the software identifies files that will be stripped, a footer (shown above) will be appended to the email message for each file it found in the archive.

    Use another method to transport these files such as FTP or HTTP if there is a need to get these files to/from a ConnSCU system.

    NOTE: The software will strip these files based on the type of file that it is, not just the extension used to name the file. Therefore, renaming the files to another extension will NOT allow it to pass the filter.

    NOTE: Once an attachment is stripped, it cannot be retrieved.
  •  What does the error: "Message No Longer Available" mean?
  • You are trying to release a message that no longer exists in your quarantine. Messages are removed from your quarantine after 7 days and you cannot release them anymore. To see what messages are available for releasing, request a Full End User Digest.  Steps on how to request a Full End User Digest are outlined in the Anti-Spam End User Digest Help document.

  •  Why is there a "quarantine" folder in my Outlook folder list?
  • You may have a folder labeled "quarantine" in your Outlook folder list if your Outlook anti-virus software is configured to use such a folder. Having this in your Outlook folder list is a result of an Outlook anti-virus product not this anti-spam software, this is not the same quarantine that is referred to in these documents.

    Your anti-spam quarantine resides on the anti-spam server and not in your Outlook folders.  The only access you have to your anti-spam quarantine is through your End User Digests that are emailed to you.

  •   How do I convert Safe and Blocked Senders from Outlook's Junk E-Mail feature?
  • Steps are outlined in this procedure.

  •  Where can I go for more information?
  • For step-by-step instructions on how to use the End User Digest, refer to the Anti-Spam End User Digest Help document.

    For general anti-spam information, refer to the Anti-Spam Information document.

    If your question is not answered in this FAQ, contact your local IT department. They will help handle the problem or contact the BOR Service Desk on your behalf to solve the problem.