Questions about this or any other IT matter should be directed to the IT HelpDesk.

Morehouse College Email Scanning

If you got an email saying to come here to figure out how to undo something the mail scanner did to your email, check here for info.

• What is scanned? Why?
• ...and how?
• What is modified?
• How can that be used?
• What if there's trouble? Something breaks?

All email that passes in or out of Morehouse by way of its mail servers is scanned. This includes anything sent via an SMTP server from Morehouse and anything destined for an address @morehouse.edu or @students.morehouse.edu.

The purpose of the scan is to identify potentially harmful or undesirable email or email parts and make them less harmful or easier to identify. Basically, the system is looking for email worms and viruses and for spam (unsolicited commercial email). Viruses are removed; spam is tagged and/or removed.

As each email enters the mail server, it is written to a special queue where it awaits scanning. A piece of scanning software (the most excellent MailScanner package) looks for things written to that queue, runs them through several virus and spam identification programs, and spits the clean (or cleaned) email into another queue. The mail transport software finds it there and delivers it.

Each piece of email is scanned by a collection of virus scanners and by a bunch of spam identification routines (SpamAssassin).

Emails simply cannot get around this scanning feature: they will be scanned. That does not mean, however, that the scanning software will make correct identifications every time. Some viruses will slip through. Some valid email will be stopped or modified. It's inevitable.

There is no human interaction with the per-email scanning unless something goes horribly wrong. (We didn't hire a bunch of folks to read each email and pass judgement on it.)

Emails that are identified as viruses with no valid content are dropped. Emails containing attachments that have viral content are cleaned and sent on, or, if cleaning is not possible, are held for further processing. If problems are found, the Subject: line of the email will be modified and the contents of the email may be altered. Depending on the virus, the sender may be notified.

Each email is scanned for attachments, too. If attachments of a dangerous sort are found, they are removed and the sender is notified. Basically, "dangerous" attachments are those that could pose problems on Windows systems; things with extensions like .EXE and .PIF and .SCR.

Each email is scored according to its spamminess. The software looks for certain words and phrases in the email and, if they are found, increments or decrements the score accordingly. Anything with a Subject: line like "Make money fast!" will get a high score. If the score is higher than 5, we're pretty sure it's spam, so it gets a Subject: tag of {Spam?}; if it's higher than 13, we're so confident it's spam that we actually delete it before anybody ever sees it. (Users who do not want their spam deleted can opt out of that by emailing the HelpDesk.)

In addition, each email gets a header that shows more or less what the spam score was: X-Morehouse-Mailscanner-Spamscore:. This header will have one "s" in it for each point of spamminess found in the email. For instance, a non-spammy email might have "s" or "ss", while a really spammy one might have "ssssssssssss".

Many of the modifications are self-explanatory. If the original attachment is replaced by a warning message, read the warning and it'll tell you what happened. Some are more subtle.

Particularly useful is the Subject: modification for spamminess. In Eudora and Outlook, you can use this to filter emails that the server thought might be spam into a folder other than your Inbox so that you don't have to deal with them except when you want to. For help filtering email with Eudora, check here. For help doing the same with Outlook, try this from the University of Maryland.

Here at Morehouse, we recommend that users make a filter that looks for "Subject: {Spam?}" and sends that email to a Possibly-Spam mailbox. That mailbox should be checked and cleaned out regularly (the end of each day seems reasonable) to make sure nothing in there got mis-identified as spam.

If an attachment is quarantined for bad content, you'll get an email telling you so. Just contact the HelpDesk and we'll look into it, getting you as close to the information in your attachment as is possible. If you get such a message, do act quickly, though: items are deleted from quarantine in fairly short order (5 days, normally).

If something else goes wrong, let the HelpDesk know and we'll get to work on it immediately.