Search Google Appliance

Home >> Email >> Scanning >> Email content scanning services from IT Services

Email content scanning services from IT Services

1. Introduction

All email arriving at Oxford will come either to one of the central mail relays managed by IT Services, or directly to a departmental server. Collectively the central relays are known as the Oxmails and route practically all mail traffic into and out of the University.

There are a number of features in the Oxmails to enable basic filtering of a proportion of the viruses and junk mail that users receive. Viruses can be quite destructive and are typically distributed through being attached to emails. Junk mail is the cause of a large number of complaints, both from within and outside the University. It is a great waste of computing resources and staff time, both at the originating and the receiving site.

2. An overview of the Oxmail features

As described above, the Oxmail service scans for both junk mail content and virus payloads in email messages. In addition to this, the current identification of mail from suspicious sources on the Internet (known as RBL Warnings) is still in place.

When the ClamAV software reports an attached virus we can be certain of its existence because the techniques used to identify viruses are precise and virtually foolproof. It is with this reasoning, and also because viruses pose the most destructive threat to the University's IT resources, that all email messages containing viruses are rejected. A message is returned to the sender of the email telling them that it has been destroyed and did not reach its intended recipient(s).

By contrast, the process of identifying junk mail content is quite imprecise, as the software must interpret the meaning of sentences within an email message. Because of this no other emails will be rejected, and instead the Oxmails assign a score to each of your email messages. With a higher numerical score a message is more likely to be junk mail. Conversely the lower the score (it may even be negative), the less likely a message is to be junk mail.

IT Services can add information to emails such as a junk mail score or RBL warnings because there is an additional portion of an email message that you do not normally see in your email client. This section contains what are known as Headers, which are messages or instructions to your email client software. Here is an example of the Headers we might add to a suspicious message:

            X-Oxmail-Spam-Status: score=12.0 tests=NIGERIAN_BODY, OX_PTR_MISSING, OX_RBL_SPAMCOP, RISK_FREE, SUBJ_ALL_CAPS
            X-Oxmail-Spam-Level: ************

Don't worry if you can't understand these messages, your email client software will do this for you. You can see in the second of the two messages that there are twelve stars, meaning that this email was given a junk mail score of twelve. The score is a number between -100 and +100. It's not likely that you will ever see a score more than around forty, and most legitimate mail should receive a score of less than five. Please note that a score of / effectively represents 0 (this is inferred by the absence of any stars). We don't bother generating a spam score for large messages because they would consume a lot of system resources and are unlikely to be junk.

The next section describes how you can take advantage of the appearance of these Headers in your email messages.

3. How to take advantage of these features

Most e-mail clients have the capacity to identify messages sent from particular people, places or those containing specific words or phrases. For instance, you can move all incoming mail from a particular friend into its own folder. Or you could set a rule to delete messages from certain people or organizations. More details on this are given in our email filtering pages.

These same filtering options can be used to identify an X-Oxmail-Spam-Level Header and then do something with the email message. IT Services recommends that you move suspicious messages into a separate mail folder (perhaps named junk-mail) and check them around once a week before emptying the folder.

We advise a brief visual check because the nature of the scanning techniques means that a very small number of emails you actually want may be scored highly by our system. A good example of this is marketing emails for Amazon customers that are often mistaken for other unsolicited sales messages. You don't need to read the content of a message to check it - just look at the sender and subject and anything that you want should be easily identified.

In order to filter your emails, you need to create special rules in your email client software that can be applied to your incoming messages. IT Services suggests the following:

  • Any email message that contains a given number of stars in an X-Oxmail-Spam-Level Header

The [Rules] options are typically found within the [Tools] or [Edit] menu in your email client program. There are details of this on our our email filtering pages; for more help please contact your local IT support officer in the first instance, or contact the Help Centre using the Contact Form. Briefly, however, you would create rules to match on the Header names if you can, or the content of any available Header if you can't be specific. For example you could match on the text "**********" to set a score of 10.0 or above. Take a look at the previous section if you cannot recall what the Headers might look like.

The following section aims to answer other questions you might have about this service.

4. Some questions and answers

Can IT Services delete messages above a certain junk mail score on my behalf?

The central mailserver, Nexus, provides facilities to automatically filter or delete messages above a specified junk mail score via its Nexus account settings page. Many email clients provide similar options.

However, it must be emphasized that great caution should be used when setting levels for automatic deletion as these emails can never be restored.

The automated process by which an email message body is scanned cannot provide a definite result in the same way that a human reader would be able to. There are what are known as "false positives" and "false negatives" whereby the scanning software wrongly identifies legitimate email as junk or vice versa. For this reason IT Services will not delete mail unless you request it by activating the features mentioned above.

How do I configure my email client software to filter using these new Headers?

The [Rules] options are typically found within the [Tools] or [Edit] menu in your email client program. For specific instructions please contact your local IT support officer in the first instance, or contact the Help Centre using the Contact Form. Briefly, however, you would want to create rules to match on the Header names if you can, or the content of any available Header if you can't be specific. For example you could match on the text " **********" to set a score of 10.0 or above.

What junk mail score threshold should I choose?

If you decide to use the X-Oxmail-Spam-Level Header as the basis for a filter, you need to decide the threshold above which to act. If you choose a number that is too low, some of your legitimate email (with a low score) will be classified as junk mail. Similarly, a high threshold may protect all of your legitimate messages but will let more junk mail slip through into your Inbox.

The software we use to scan your messages is called The Apache SpamAssassin Project and its developers recommend a default threshold of five. However, if the concept of mail filters and junk mail scoring is new to you we recommend you begin with a more conservative setting of ten, in order that you don't get caught out. Over time you can reduce the threshold to a value that suits the type of email you receive as you become more comfortable with the system.

Why have I been told that IT Services is not able to scan my email?

The Oxmail relays handle a lot of the University's email, but by no means all. Some departments or colleges have opted out of using our relays completely. Others may use the Oxmails for their incoming, but not their outgoing mail, or vice versa. Email that does not pass through the Oxmails will not be scanned. If this is the case you should consult with your local IT support to arrange alternative means of scanning your email messages for viruses.

Will email messages take longer to reach me now they are being scanned?

No, this should not be the case. IT Services has put considerable monetary expense and design effort into making sure the new scanning system will cope with the current volume of email for the University, as well as the inevitable future increases. The system will gracefully handle periods of excessive throughput of email messages, and hopefully also the malicious mail-bombing attacks that we receive from time to time. Currently well over 90% of email messages are relayed within a few seconds, and our tests have shown that the new system performs equally well even though it is scanning for viruses and junk mail.

Can I avoid having an attachment scanned?

Yes, this is possible. The antivirus software is not able to expand Zip files that have been created with a password. If you therefore add a password to the Zip file (even if it is something simple such as a single character or small word), that part of the message will not be scanned.

Which legislation covers the interception of email messages?

Primarily this is attended to by the recent Regulation of Investigatory Powers Act 2000, which concerns communications on a private or public telecommunications network. This of course includes an individual's email communications via the Internet.

Specifically, the Act provides that communication by individuals may not be intercepted or monitored unless, amongst other things, the interception is permitted under the Telecommunication (Lawful Business Practice) (Interception Of Communications) Regulations 2000. These Regulations provide for circumstances where an employer or institution is able to intercept and monitor communications to protect against viruses. The institution must make all reasonable efforts to inform individuals that interception may take place, even though express permission is not required.

Other legislation such as the Data Protection Act 1998 and the Human Rights Act 1998 have been incorporated into our policies. You should also be aware that by using University provided IT facilities (not only an email account but also the network itself) you are subject to Oxford University's own Regulations Relating to the use of Information Technology Facilities which can be found at the following location:

which of course forbid the introduction of a virus into the University network.

Will you be keeping any records about the senders of viruses?

Not in any meaningful or organized way, or any way that we plan to make use of. As part of the natural function of mail relay software, logs are produced detailing messages that have arrived and messages that leave the relays. The additional software that scans messages for viruses will log the name of the virus and the supposed sender and recipient of the message.

Because a number of Internet worms forge the sender address when they distribute themselves, and also because we expect that Sophos will be widely installed within the University, we do not plan to collate or publish any lists of virus senders (or recipients). For administrative purposes we do track the number of each type of virus caught but this data is anonymized.

I still don't understand! Who can help me?

If this document has not answered all your questions, or you are still confused by some part of the new system, please feel free to contact the Help Centre, using the  Contact Form, with a description of your problem. Again we stress that there should be no adverse affects from the scanning processes. You will be safer for not receiving viruses, and email client programs will ignore the additional Headers if they are not configured to respond to them.

Do you have more information on ....?


Service area: 

Written by IT Services. Latest revision 18 October 2017