[unisog] SPAM Filtering policy?

William D. Colburn (aka Schlake) wcolburn at nmt.edu
Wed Jul 31 21:59:47 GMT 2002

Um, I want to start by saying that notifying the "sender" of a virus
that you quarantined "their" virus is probably called "spamming" because
the "sender" is forged more often than not.  Reject the mail that
contains the virus at the SMTP transaction level, and let the remote MTA
deal with the problem using the envelope sender instead of the names
listed in the headers.

As for spam...

Our "policy" here is actually just a description of how our anti-spam
filter works; ie, the steps it takes and the choices it makes.  The
primary design goal of the anti-spam filter are to have no false
positives and a method of guaranteed delivery in case valid email is
incorrectly marked.  Another goal is that our mail server will not be
dependant upon the whims of an outside entity.  We use no blacklists
because we don't control them, and thus we don't trust them.  We use no
automatically updated outside spam rules because we didn't make them, we
don't control, and thus we don't trust them.

No (paper-pushing) administrator has ever asked me for a formal policy to
define how the filter should work, but they often ask me to put a stop
to email they are receiving.  Part of it is culture.  I work in a place
where policies are handed down via oral tradition, and never put on
paper.  It has its good sides, and its bad sides.

For suggestions, I'd say:
  1) mail to postmaster must be deliverable no matter what
  2) the speed and reliability (deliverability) of email are more
     important than the "signal to noise" ratio
  3) spam rules which block legitimite email must be removed
     (you could apply a threshhold, like more than 1 out of 100000)

On a non policy level, think really hard about something before you do
it.  People don't like to lose email.  Many of the commercial solutions
are downright terrible, but have a great ad campaign behind them.  Read
comp.risks for lots of good information on the dangers of doing this.
Blocking "bad" words, for instance, is dangerous since they appear
haphazardly in base64 encodings.  Blocking email that doesn't contain a
certain threshhold of English words is bad since lots of legitimite
email comes from abroad to non English speaking students.

On Wed, Jul 31, 2002 at 03:02:45PM -0400, Lois Bennett wrote:
> I have been asked to draft a SPAM filtering policy. Could you tell me 
> what you do along those lines and what type of policy is in place 
> especially in an academic environment?  We are experimenting with 
> using spamassassin to mark spam but we are currently delivering 
> everything except virus laden mail.  Virus infected mail is 
> quarantined and the sender notified.
> Any suggestion will be appreciated.
> Thank you all,
> Lois
> -- 
> **********************************************************************
> Lois B. Bennett
> Senior System Administrator              Treasurer, USENIX Association
> Div. of Engineering & Applied Sciences                  (617) 496-5357
> Harvard University                                  FAX:(617) 588-0238
> 33 Oxford Street - MD G109                       lois at deas.harvard.edu
> Cambridge, MA 02138                                    lois at usenix.org

William Colburn, "Sysprog" <wcolburn at nmt.edu>
Computer Center, New Mexico Institute of Mining and Technology
http://www.nmt.edu/tcc/     http://www.nmt.edu/~wcolburn

More information about the unisog mailing list