ID #266

How does the mail server filter spam and viruses?

Applies to: Grid System

Modwest provides several layers of email filtering to reduce the amount of unwanted email delivered to your mailboxes on the grid system.

  1. The source IP of the incoming email is compared to spam blacklists, including the Spamcop Blocklist, a dynamically refreshing database of IP addresses from which numerous spam messages have recently been reported. In the event of a match, the email is temporarily deferred for later attempted delivery. Depending on the sender's ISP's server configuration, re-delivery is attempted for 1-4 days. If the source of the email is no longer present in the spam blacklists upon any later delivery attempt, the email makes it to subsequent checks (described below). There currently is no way on the grid system to opt-out of this filtering.

  2. The sender address (SMTP 'MAIL FROM:') of the incoming message is checked for a valid domain name. Unregistered domains, or domains for which no DNS records exist, result in a rejection similar to "Sender address rejected: Domain not found".

  3. Unauthenticated SMTP attempts from certain dynamic IP ranges (such as those associated with broadband residential ISPs) may be rejected with an error message similar to "Please use your ISP's mail server" if large amounts of spam is noted from these ranges. This rarely results in the rejection of legitimate mail relayed via mail servers hosted on these connections; the solution is for the mail administrator to configure Exchange to relay through the ISP's mail server, or request alternative reverse DNS (such as rather than the autogenerated reverse DNS) from the ISP.

  4. The destination address is checked, and if it's not valid, the email is returned to the sender with an 'Unknown user' error message.

  5. As an emergency countermeasure against emerging worm and malware threats, we will occasionally at this point in the delivery process reject attachments with certain filenames.

  6. Attachments are next checked for dangerous content, including attachments with file extensions such as .reg, .chm, .cnf, .ins, .jse, .lnk, .pif, .scf, .sct, .shb, .vbs, .xnk, .com, .exe, .scr, .bat, .cmd, .cpl, .mhtml, as well as any attachment with a very long filename, executable files, and filenames with many spaces. Any matches are silently quarantined. There currently is no way on the grid system to opt-out of this filtering.

  7. Next, our virus signature database is consulted, and any infected emails are discarded. There currently is no way on the grid system to opt-out of this filtering.

  8. Finally, per-mailbox spam preferences are applied and the email is handled accordingly.

In no case, except as specifically noted above, are senders notified of an email being discarded. This is because most email generated by viruses provides a fake 'From' address, and notifying these innocent users would needlessly cause alarm and confusion.

Last update: 2010-10-03 12:54
Author: FAQ Admin
Revision: 1.3

Digg it! Share on Facebook Print this record Send FAQ to a friend Show this as PDF file
Please rate this FAQ:

Average rating: 5 (1 Vote)

completely useless 1 2 3 4 5 most valuable

You can comment this FAQ