24, No. 17, March 17, 20054
offers new arsenal for virus protection and spam management
Sharita Forrest, Assistant Editor
photo to enlarge
News Bureau Photo
got less mail The
primary complaint of campus computer users is the
daily barrage of spam, said Mike Corn, director
of security services and information privacy for
Campus Information Technologies and Educational
Services. To help users take control of their inboxes,
CITES is launching a new software system, CITES
Spam Control, that detects and eliminates e-mail
viruses and spam.
If the title of
a current Broadway musical – “Spamalot”– describes
your incoming e-mail, but the daily onslaught of lurid advertisements
and virus-laden hoaxes brings you little mirth, a new service from Campus
Information Technologies and Educational Services may be your ticket
to a cleaner inbox.
CITES Spam Control, a new component of the e-mail architecture at the
Urbana campus, comprises two modules that will enhance virus protection
for many e-mail users and offer several options for managing spam.
The centralized virus-detection module, which was activated March 2,
scans messages sent to all recipients with @illinois.edu e-mail addresses
and automatically deletes messages that contain viruses.
The system’s anti-spam module examines various attributes and
structural components of incoming messages – such as sender IP
addresses, URLs and headers – and assigns each message a score
ranging from 0 to 100 indicating the likelihood that the message is
spam. A score of 0 signifies an unquestionably valid message while a
score of 100 indicates that the message is undoubtedly spam. The spam
score is displayed in a header that the software adds to the message
before routing it to the user’s e-mail account.
“The default practice will be to add the headers and not do anything
else to the messages,” said Mike Corn, director of security services
and information privacy at CITES. “We don’t want to force
spam handling on people. We want to enable them to decide how they want
Beginning April 15, about every week or so, CITES will send e-mails
notifying different segments of the campus community – faculty
members, academic professionals, undergraduates – that they can
activate additional functions of CITES Spam Control by visiting a Web
Spam Control Service
10 a.m. to 3 p.m.
Illini Union Room C
Short, walk-up, hands-on training will be available
as well as information about computer security in
general. A new Security Tools CD will be available.
May 3, 7 p.m.
May 5, 9 a.m.
May 10, 9 a.m.
May 23, 1 p.m.
May 25, 1 p.m.
Registration is requested for these 45-minute classes.
The anti-spam module
is being activated in phases because “turning the spam control
on for 70,000 users at once would inundate the help desk with questions,”
Corn said. “We want to make sure we’re positioned to support
Users will be able to customize the spam filter according to the level
of protection they want by selecting from four options:
- Tag – the
system adds headers with spam scores and delivers all messages to
the user’s inbox.
- Cautious –
messages the system is “certain” are spam and messages
“likely” to be spam according to their scores are quarantined
but not deleted.
- Aggressive –
messages the system is “certain” are spam are deleted
while “likely” spam are sent to quarantine.
- No quarantine
– messages the system is “certain” are spam are
deleted automatically and the rest are delivered to the inbox.
According to the
software vendor, Proofpoint Inc., only a small percentage – about
1.5 percent – of messages receive scores between 20 and 80, and
CITES’ usage of the system has yielded the same results, Corn
said. Most messages score very high or very low. Messages with spam
scores of 50 or above will be sent to users’ quarantine folders
and will remain on the server for 10 days before being deleted automatically.
People who use quarantining will receive daily e-mail digests of the
messages quarantined since the prior day, and they can opt to receive
the daily digests even when they have no quarantined messages. Users
can scan the digest each day, and if valid messages have been misidentified
as spam (known as “false positives”), they can either click
“release” to redirect the messages to their inboxes or click
“safe list” to redirect the message and ensure that all
future messages from those senders are delivered. Users also may establish
personalized “auto-block lists” to ban unwanted messages
Users will be able to access the system and adjust their settings through
the URL contained in the activation notice and the daily digests; no
logins or passwords are required. Therefore, users should not forward
the digest or the activation notice to other people because that would
allow recipients to access their accounts.
The antivirus/anti-spam software will only screen e-mail that passes
through CITES’ servers – mail going to addresses such as
firstname.lastname@example.org, email@example.com or addresses on the retired
student/staff cluster. E-mail to accounts on college or departmental
e-mail servers may not pass through CITES Spam Control. Users with multiple
addresses can view which of their e-mail accounts CITES Spam Control
is handling through the Web interface.
The new antivirus software enables CITES staff to monitor the number
of viruses coming into its servers by reporting statistics every four
hours. In a March 1 e-mail to the campus community that announced activation
of the antivirus controls, Corn said that the system detected 121,052
e-mail viruses during a one-week testing period in February. When the
system goes into full production, it will likely eradicate about 20,000
virus-infected messages each day, Corn said.
“I’ve had a few people ask me why CITES isn’t notifying
people when it deletes a virus-infected message,” Corn said. “But
there’s very, very little legitimate e-mail with viruses. I think
I’ve received one legitimate message with a virus during the past
three years. I think that’s fairly typical. With up to 20,000
viruses coming in to campus every day, if we notified users every time
we deleted an e-mail, we’d be turning 20,000 infected messages
into 40,000 pieces of spam.”
During the testing phase, the software has been accurately identifying
and classifying as spam “phishing” messages, fraudulent
e-mails that attempt to dupe unsuspecting recipients into providing
personal information that thieves can use to steal their identities.
Corn said he is “guardedly optimistic” that CITES will see
a measurable reduction in the number of security incidents as a result
of the new system.
While Corn expects users to be very pleased with the level of protection
the system provides, he cautioned that the anti-spam control will occasionally
misidentify a valid e-mail message as spam or allow a bogus message
“I usually get about 150 spam a day, and I’m finding that
about three spam a day are sneaking through undetected,” Corn
said. “I can live with three. The anti-spam software seems to
very accurately identify spam. One of the reasons we picked this system
is because it had the lowest “false positive” rate of the
packages we looked at.”
Approximately 120 “typical end users” – that is, non-technical
staff – were involved in testing the system, and they indicated
that they found the system very accurate and easy to use, Corn said.
The system screens e-mail before it passes through e-mail clients like
Eudora and Microsoft Outlook Express; it also is compatible with Web
browsers and with Departmental Services’ Microsoft Exchange Services,
which provides additional anti-virus and anti-spam protection.
In addition to the software, the system comprises eight computers –
four at the on-campus data center and four at a remote site –
with half a terabyte of disk space, a database server and a backup server
to hold the quarantined messages. Each data center has the capacity
to handle more than double the volume of e-mail traffic on campus. Should
the campus data center go down, traffic is transferred automatically
to the remote site. When both data centers are running, they share the
“E-mail is really so critical to people’s lives, we wanted
to make sure we had the capacity we needed and then some,” Corn
said. “Also, we’re not going to deploy the system until
we’re 100 percent confident in it – that is, if we have
any doubts at all, we’ll postpone it until we have it right.”
The hardware and software was funded by a one-time grant from the Office
of the Provost.