General Definitions about Spam

What is Spam ?

Spam mails are unrequested e-mails, mostly unsolicited commercial e-mails (but: newsletters or offer lists which are subscribed by the user and are unsubscribable at any time, are not spam!).

The criteria to recognize a spam mail are on the one hand typical expressions in the subject or mail text such as "Sale", "Sensational Offer", "Viagra", but also less clearly evident violations to the mail protocol, e.g. unusual mail sender addresses, delivery via servers known as spam mail servers, a.o.

Spam checking with "SpamAssassin"

Every e-mail received via the official mail servers at GSI runs (among other things) through a program called "SpamAssassin". This program examines according to different criteria whether that e-mail is a spam e-mail.

For each applicable characteristic of the criteria a certain score will be assigned, whereby negative values are possible too. The criteria used by "SpamAssassin" as well as the assigned score is in the InterNet header of the e-mail, e.g.:

X-Spam-Status: Yes, hits=5.1 tagged_above=-99.0 required=3.1 tests=BAYES_95, RCVD_IN_NJABL_DUL, RCVD_IN_SORBS_DUL, URIBL_SBL X-Spam-Level: *****

In addition to the investigation with the static rules "SpamAssassin" is able to learn independently new spam criteria (so-called "Bayes classification"). On basis of these learned criteria the e-mails may get an additional valuation, which can be between -5 to 5. The learning process depends on the number and kind of the spam mails processed so far. The resulting valuation is time dependent and can vary on different mail servers for the same e-mail.

The current list of tests SpamAssassin performs on mail messages and a short explanation of the original criteria are found at http://spamassassin.apache.org/tests_3_0_x.html

Naturally "SpamAssassin" cannot decide accurately, which e-mail is spam or not. Some intended e-mails (usually newsletters) meet the same criteria as spam mails.

Note: Sender e-mail addresses are mostly falsified by spam senders!

Spam Tag Level

If the spam score exceeds a certain threshold value (Spam tag level), the e-mail receives the tag "[ Spam? ]" at the beginning of the subject, e.g.:

[SPAM?]Big Sale!

The delivery takes place as usual. The entry in the subject can be used for the setting-up of filter rules in the mail program (example for Outlook).
The default value for the tag level value is 3. Individually all values > = 2 are permitted.

Spam Reject Level

Important change staring from September 15th 2009!

If the reached score exceeds a second threshold value (Spam level 2 or "reject level"), which must be larger than the tag level value, then the e-mail is not delivered to the recipient but deleted immediately. In opposite to the former procedure the sender is not informed any more. One receives no information, especially that spam e-mail is not delivered!

Until September 15th 2009 the previous procedure applies: e-mails with a spam score that exceeds the "reject level" are rejected and a report ist sent to the sender that its e-mail was classified as spam and was not delivered.

There is no default value for the reject level ("NONE"). Therefore, as long as this value was not changed, all e-mails are delivered. All values > = 7 are permitted, whereby the rejection threshold value must be at least as large as the tag level. A value of 8 is recommended.

White Lists

As previously mentioned it occurs that certain e-mails get a high point value from "SpamAssassin" and thus a tag in the subject due to different criteria, although they are not spam mails. Such e-mails are called "false positive". This happens very often with e-mails from one address, e.g. with newsletters subscribed by the user itself.

Such return addresses can be entered into the personal "white list". E-mails from senders, that are located in a white list, are not examined according to spam criteria.

Note that the return address visible in the e-mail program is not necessarily the real e-mail address. You can see this address, if you open the e-mail and use the address shown in the "From:" field in [ ]. Do not insert addresses in the form "readable name [e-mail address]" or "readable name <E-MAIL address>", only the direct form "e-mail address".

You may insert complete e-mail addresses, but also whole domains, i.e. shortened addresses beginning with the "@" sign (e.g. @cern.ch).
Using "@*.domainname" (e.g. @*.cern.ch) you can address various machine names in the same domain (remark: @*.cern.ch includes @cern.ch).

By default the white list is empty. At present (due to performance reasons) up to 20 e-mail addresses are accepted.

GSI General White Lists

At GSI there is a number of e-mail addresses, which apply to all users as "white list", and is therefore not necessary to be inserted into the personal white list. Among them are at present:

• amavis-user-admin@lists.sourceforge.net
• bugtraq@securityfocus.com
• cert-advisory-owner@cert.org
• lvs-users-admin@LinuxVirtualServer.org
• notification-return@lists.sophos.com
• owner-alert@iss.net
• razor-users-admin@lists.sourceforge.net
• security-alerts@linuxsecurity.com
• slashdot@slashdot.org
• spamassassin-talk-admin@lists.sourceforge.net

Besides this the following frequently occurring e-mail addresses receive 3 and/or 5 points "credited", and therefore are tagged rarely as spam mail.

List with domain parts, e.g.:

• amazon.de
• bmbf.bund.de
• cern.ch
• dfn.de
• gsi.de
• physicsweb.org

Individual e-mail addresses, e.g.:

• Gebotbestaetigt@ebay.de
• office@schard.de

Virus Alert

Virus alert e-mails are a notification of the virus scanner of the GSI (amavis@lxmta1.gsi.de and/or amavis@lxmta2.gsi.de) - with a subject in the form: "[ VIRUS! ] X virus-20041206-193314-18433-03 "-, which means that an e-mail with a virus was sent to you. Since in 99% of the cases the sender is falsified (spam mail), can you discard these e-mails anyway.

If one answers to this notification e-mail, amavis sends the original virus-infected e-mail, from which the virus has been removed however.