Home > Services > Email at UCT > Spam filtering at UCT

Spam filtering at UCT

Spam (also known as unsolicited bulk email, junk mail, or unsolicited commercial email) is the practice of sending unwanted email messages frequently with commercial content, in large quantities to an indiscriminate set of recipients. Some spam can also include malware (malicious software) or viruses that are loaded onto your computer without your knowledge and run against your wishes.

This article shows the methods that UCT have put in place to try and combat this scourge.

Phase 1:
Inbound Lockout
Spoof attempts are blocked, i.e. where legitimate UCT email addresses are impersonated by non-UCT users. In this way, if a spammer falsifies their sending address to masquerade as an internal domain address, the email will be rejected.
Phase 2 and 3.
Blocked Senders
This phase restricts messages to or from specific email addresses or domains.
 
Phase 4 and 5:
Permitted Senders
All spam checks (reputation-based and content-based), except anti-virus checks, are bypassed. If an email address or domain is in both the Permitted Senders and Block Senders phases, the Blocked Senders phase will be applied first and the email will be rejected.
Phase 6:
Auto Allow
When an internal user sends an outbound email, the system captures the recipient's email address and adds it to a database known as Auto Allow. When the same recipient sends an inbound email to a UCT user, the recipient's email address is checked against the Auto Allow database and if a match is found, the inbound email will be allowed through without applying additional spam reputation checks and content checks - similar to a Permitted Sender - although virus checks are still applied.
Phase 7:
IP Reputation Checks
Real-time Blackhole List (RBL), which contains the IP addresses of known malware senders is applied.
Other IP reputation check functions as a global network outbreak detection system, both known and unknown. This reputation service temporarily defers connections if they are suspected to have a bad reputation.
Phase 8:
Greylisting
Compliance checks are applied to the sender's mail server for all connections not previously seen by the system. It returns a busy signal, which prompts the sending server to retry the email delivery after 1 minute. If the sender's mail server retries the connection, the email is processed. If the email is not retried within 12 hours, the email connection is dropped and rejected.
Phase 9:
Recipient Validation
Prevent inbound emails with invalid recipient addresses.

 
 Phase 10:
Emails moved to the scanners
  1. Spam scanning: Multiple content-based, heuristic scanning engines are used. These engines examine the content of emails and look for key phrases and other identifiers commonly used by spammers. These include content-matching rules and DNS-based, checksum-based and statistical filtering definitions. Depending on the policy configured, if a match is found, the email is held for review.
  2. Virus scanning: Malware protection software combined with intelligence gathered from millions of commercial and freeware users is employed (this includes signature and heuristic detection technologies).
Phase 11: Attachment scanning Attachment Policies are configured to look for certain attachment types and sizes. UCT blocks a number of attachments that are considered dangerous as they may contain malicious content such as viruses etc.