Drew Community

Drew Community (https://community.drew.edu//index.php)
-   Technology Discussion (https://community.drew.edu//forumdisplay.php?f=89)
-   -   New Spam Firewall (https://community.drew.edu//showthread.php?t=1167)

03-17-2008 10:28 AM

Is there any way to tag as spam the messages that do get through the filter? It's sort of a weird learning process if you can't help it learn false negatives as well as false positives.

John D. Muccigrosso 03-17-2008 09:53 PM

I think Mr. Wyman has a point.

Leaving aside the quality of the tagging (I knew we had switched systems when spam started getting through to my inbox the other day)...

I'm someone who likes not to have what the system thinks is spam deleted right away, and I don't like to have to check "quarantine" either, since I use my own email client and not the awful web interface or - worse - the GroupWise client. The new system tags spam with [BULK], which meant I had to go and change my filtering rule so that this tag worked. No big deal, but it was another change to my set up, so I'm sympathetic to those who aren't so e-adept or so eager to fiddle with the settings every few months. (Why on earth it uses BULK instead of SPAM is a mystery to me.)

On the positive side, now that I've set the spam filter to 2, everything seems to work well. Also the whitelist is better because it actually seems to work on the "from:" address (though I haven't had much chance to see this in action).

John D. Muccigrosso 03-17-2008 09:53 PM


Originally Posted by Jennifer A. Fox
Is there any way to tag as spam the messages that do get through the filter? It's sort of a weird learning process if you can't help it learn false negatives as well as false positives.


Since I've also got the quarantine off, it would be good to be able to teach it with some other mechanism.

03-18-2008 10:14 AM

I keep lowering and lowering my spam scoring numbers, and more and more spam is being delivered to my inbox.

Could someone post a description (in English!) of what "tag," "quarantine," and "block" do and how their scales run, so I can understand how to change my settings? The "spam scoring" preferences box is completely bewildering, at the top it says the scale runs from 0=not spam to 9=definintely spam, but then the sliders below, which are the only numbers in the box, seem to run from 1=definitely spam to 10=not spam. The info at the help button doesn't help unless you already understand these scales.

15 spams in my inbox this morning, and 2 more arrived in the 2 minutes it took me to type this posting! I'm not sure I agree with Axel's premise that a lot of false negatives are better than a single false positive.

Mike Richichi 03-18-2008 11:43 AM

Basically, "Tag" , "Quarantine", and "Block" refer to how the firewall deals with spam.

"Tag" adds a [bulk] string to the subject line, which an email client can use for filtering decisions. That's how John is choosing to filter his email.

"Quarantine" places the messages in the spam.drew.edu quarantine, and generates the nightly messages, and allows you to release and whitelist individual addresses. This is the functionality that is most like the M+ Guardian was.

"Block" means don't let the user see the message at all--it simply goes away. Obviously, this is the most risky in terms of losing false positives.

The numbers from 1-10 are the score that the Barracuda assigns every message based on the tests it uses to determine spam. 0 is "definitely not spam" and 10 is "definitely spam". You can see these scores by looking at the message source in Groupwise (or "message headers" or "original message" in other clients--basically, the full text of the email as sent). It's in the X-Barracuda-Spam-Score: header.

Looking at that, I've currently set my quarantine level to 0.55--I've gotten some legitimate spam that scores at 0.5 (which seems odd to me and I think we'll learn some more about it, but part of it is that the Barracuda does less content analysis and more reputation analysis of senders, IP addresses, web forms, etc.). I get some bulk mail from legitimate senders that scores around 1.5-2, but those tended to get quarantined by M+ Guardian, and certainly most of them are things that I don't need to read. I'd suggest going down that low if you are of a mind that a few false positives are less of an issue than getting spam in your mailbox. If spam comes through, look at its score and adjust accordingly.

In terms of the training issue, there are some plugins available to classify messages as "spam" and "not spam" but they're not officially available for our supported clients, and the protocol isn't documented so we can't do our own. That would probably work well, but it takes 200 messages to train the database (for each user). Of course, you can give it legitimate messages and spam so it learns the difference. We're continuing to investigate that. For what it's worth, you can also email spam (make sure you "forward as attachment" so headers are preserved) to spam@barracudanetworks.com, and they use that data to improve their algorithms and rules. It may not have an immediate effect but it should help in the long term.

John D. Muccigrosso 03-18-2008 06:39 PM

Like Mike I've got my spam slider set pretty low (2 now, IIRC), and have gotten very few false negatives so far, mainly a couple of lists I subscribe to.

Doesn't this suggest that the Barracuda scale is really pretty poorly calibrated?

I also would like an easier way to whitelist without using Quarantine, but maybe I'll move over to that. Is it possible to view the quarantine from a plain old imap client?

Is the Bayesian filter one of those plug-ins that isn't activated (yet)?

03-19-2008 09:57 AM

More Spam Than Ever
With the last program we were using, much fewer spam emails got through than now. I constantly am getting emails about people wanting to deposit money in my bank account, women who want to hook up with men, working from home and getting paid.
I hate this, I wish we had stuck with the old one. I just thank god I wont be using the Drew mailing system much longer.

Scott Wood 03-19-2008 02:22 PM

I see that you've changed your settings, so you can expect to receive a lot less spam now.

I've noticed a few instances where people chose settings that will probably result in either additional spam in their Inbox or legitimate mail being discarded. Just to review:

There are three settings people can change: Tag, Quarantine and Block Most people will only want to change the Quarantine setting. If you are receiving too much spam, you can experiment with lowering the quarantine number. As you lower the quarantine number, you increase the chances that a legitimate incoming email message will end up in your quarantine. You will probably want to review your quarantine more frequently after making changes and perhaps whitelist legitimate messages that are being caught.

By default, we've set Block and Tag levels to 10 (disabled). If you choose to lower your Block number, it is not advisable to go much lower than 7. We've seen legitimate email score as high as 3 and I think in some circumstances might score higher. It's best to just quarantine these messages instead of Blocking them. If you end up with more messages in your quarantine than is manageable *and* you aren't seeing legitimate email messages in your quarantine, you may want to consider lowering your Block level, but we recommend being very conservative about making changes to the Block number.

Some people prefer use the Tag option. This adds [BULK] to the subject of any message that scores higher than your tag level. You can create a GroupWise rule to test for the presence of [BULK] in the subject of a message and move it to a designated SPAM folder. This allows you to quickly see suspected spam by viewing an email folder instead going to the web interface ( https://spam.drew.edu) or waiting for your daily quarantine report.

Hopefully this clears up any confusion about changing spam levels, but feel free to post followup questions here or to contact the CNS Helpdesk at x3205

John D. Muccigrosso 03-26-2008 09:13 PM

New quarantine
OK, so now quarantine seems to be activated on my account, even though I've set the quarantine slider to 10.

Oddly, the account name isn't mine...or not the simple version of mine anyway. It's actually:


Jonathan B. Reams 03-26-2008 09:43 PM


Originally Posted by John D. Muccigrosso
OK, so now quarantine seems to be activated on my account, even though I've set the quarantine slider to 10.

Oddly, the account name isn't mine...or not the simple version of mine anyway. It's actually:


Actually that IS your account name. If you look closely you'll see your name, followed by the post office you're on, followed by the drew domain name. Think of it as a mailing address; if I sent you a post card at "John D. Mucciogrosso - Drew", I would not only get the post card back, but probably a snarky note from the post office asking why I presumed that they would know who and where you were from just "Drew". Fortunately, the GWIA is smart enough to be able to translate the internal addresses of user.post office.domain@internet domain into something the rest of the world can use and remember. This is pretty common on corporate email systems.

All times are GMT -4. The time now is 04:38 PM.

Powered by vBulletin® Version 3.5.7
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.

Drew University is not responsible for the content of posts made on this site. All posts and comments reflect the opinion of the author.