Drew Community

Drew Community (https://community.drew.edu//index.php)
-   Technology Discussion (https://community.drew.edu//forumdisplay.php?f=89)
-   -   New Spam Firewall (https://community.drew.edu//showthread.php?t=1167)

Mike Richichi 03-14-2008 05:45 PM

New Spam Firewall
 
Here's the text of the campus-wide message:

Quote:

CNS has been evaluating and testing the Barracuda Spam Firewall as a possible replacement for our current spam filter, and had planned to switch to it in the near future. This Friday, sending and receiving email off-campus was broken for several hours, due to our current spam filtering systemís licence expiring prematurely. When the license was extended, we had significant issues bringing the system back online. While email messages were only delayed and not lost, we consider this to be a serious problem. Due to this and other ongoing concerns we have decided to advance the replacement cycle of the spam filter and complete the upgrade today.

The new system behaves slightly differently than the old one, and we believe it will do a better job of filtering unwanted messages. You will still receive daily quarantine messages. The reports have the option to release the message, release and add sender to your "whitelist" or delete the message from quarantine. http://spam.drew.edu will still be available to examine your quarantine at any time, and allows you to configure some personal preferences as well.

While these interfaces may look different we believe they should be as easy if not easier to use than the previous system. You will also notice far fewer messages in your quarantine, which should make it simpler to find legitimate emails that were blocked. This is due to the additional filtering methods the Barracuda uses to block email from known undesirable origins. Also, current deny/allow from the old system will not be on the new system; we expect to be able to migrate them for you shortly.

We've been satisfied with the Barracuda product so far, and as our renewal for the old product was coming up, the timing was right to examine other products. We expect it to be more reliable than our old solution.

You will receive one more quarantine report from the old server, and clicking on the actions in that message will still work appropriately. In addition, the old spam filter will be available at http://oldspam.drew.edu/ for at least one week in case you need to review messages it has captured.

Please use this thread for questions, problems, and what we hope is positive feedback.

Franklin K. Wyman 03-14-2008 07:34 PM

Why does CNS change software so often?
 
Sir:

I am a Ph.D. candidate, over 50 years of age, and not a genius at technology. Therefore, I strongly object to the seemingly constant changes in the various Drew software systems with which we are expected to deal. It seems that as soon as I learn how to deal with one system or interface, CNS discards it in favor of another that is even more arcane and complex.

The latest switch is a perfect example of this frustrating trend. With the soon to be outgoing system, the "delete" button was too small for anyone but an eagle-eyed undergraduate to detect. I became aware of its location only after I asked about it. Why did I have to ask how to delete mail that I do not want to read? If your objective in providing a spam filter is to avoid spam, why did you select a system in which the "delete" button is so hard to see? It would appear that the spammers are in league with those who designed the filter, or vice versa.

But, lo and behold, now that I have at long last figured out how to delete mail I do not want, I see that CNS has chosen a new system. My choices appear to be to ignore it or to take valuable time in learning a system, that, perhaps, will soon be replaced in its turn.

This must stop.

Franklin K. Wyman
Caspersen School

E. Axel Larsson 03-14-2008 08:09 PM

Quote:

Originally Posted by Franklin K. Wyman
Sir:

I am a Ph.D. candidate, over 50 years of age, and not a genius at technology. Therefore, I strongly object to the seemingly constant changes in the various Drew software systems with which we are expected to deal. It seems that as soon as I learn how to deal with one system or interface, CNS discards it in favor of another that is even more arcane and complex.

The latest switch is a perfect example of this frustrating trend. With the soon to be outgoing system, the "delete" button was too small for anyone but an eagle-eyed undergraduate to detect. I became aware of its location only after I asked about it. Why did I have to ask how to delete mail that I do not want to read? If your objective in providing a spam filter is to avoid spam, why did you select a system in which the "delete" button is so hard to see? It would appear that the spammers are in league with those who designed the filter, or vice versa.

But, lo and behold, now that I have at long last figured out how to delete mail I do not want, I see that CNS has chosen a new system. My choices appear to be to ignore it or to take valuable time in learning a system, that, perhaps, will soon be replaced in its turn.

This must stop.

Franklin K. Wyman
Caspersen School

With both the old and new sstem, it is not necessary to delete messages from the Quarantine manually. Messages that are not released by you are automatically removed after 7 days, so you can simply allow them to remain and they will expire on their own.

As to switching to the new product-- we did not intend to make the switch during the semester. We recognize that switching software during mid-semester is disruptive to the user community and would only consider such actions when absolutely necessary. As Mike's message indicated, we experienced a serious failure with the previous product this morning that resulted in a multi-hour outage of email service. This outage has been preceeded by a variety of persistent unresolvable problems with the product, that had resulted in us investigating the Barracuda product in the first place. This morning's outage was the last straw in a long history of issues.

Rather than continue to subject the University community to unreliable email service, we took the prudent course and cut over to the new system right away.

Also, please do keep in mind, that it is not always up to Drew University's CNS department when we implement a new piece of software. We are forced by industry trends and vendor's support policies to stay current with this software. When we switched from GWGuardian to M+ Guardian one year ago, this was not by choice. The vendor that supported the product had started to discontinue support for GWGuardian and was no longer keeping it up to date, pushing customers who were renewing their contracts to the new software. We were actually quit happy with GWGuardian would have been content to continue using it, but it was no longer being actively maintained by the vendor. It is simply not an option to be running an anti-spam and anti-virus product that is not actively updated by the vendor, as the system would be incapable of detecting new spam and viruses and this would be both an inconvenience and a security risk to the University.

Due to the persistent issues we've had with M+ Guardian since we were pushed to switch to it a year ago, and the failure we experienced this morning, we are exercising our option not to renew our contract for another year for that product and are putting the Barracuda in place two months ahead of schedule.

We've been evaluating the Barracuda for a while and are confident that it will provide more reliable service than M+ Guardian. The product's interface for users has been relatively unchanged for several years and we have every reason to believe that they will keep it as is with only minor changes for a while yet to come...

03-15-2008 12:13 PM

I gotta tell you, I'm not thrilled. I got four emails with some variation of "please her sexually" in the subject line this morning alone. That's never happened before. Maybe it's just coincidental timing and actually has nothing to do with the new spam filter, but....

03-15-2008 01:13 PM

Part of the Ship...Part of the Crew...The Dutchman Must Have A Captain

Andy A. Benavides 03-15-2008 01:45 PM

Did you ever wonder???
 
Did you ever wonder how chickens manage to get the yolk inside of the shell? It always gets me thinking...

E. Axel Larsson 03-16-2008 02:16 AM

Currently the thresholds are not set very aggressively. Far worse than 50 spam messages getting through is one accidentally getting quarantined (known as a false-positive) so you always have to be conservative when starting out with a new filter.

The current set up shouldn't be getting false positives, which was more of an issue the previous product. We will have to adjust the thresholds as we find a reasonable level that still does not produce false positives.

Barracuda works in a different way than Guardian. Barracuda makes heavy use of their distributed reputation system to catch most of the spam before it even gets to the quarantine stage (this is why the quarantine reports should be shorter). The reputation system uses a database of known spam campaigns that is updated at least once an hour.

Guardian relied much more on content analysis, which is looking for keywords and others characteristics of the email to decide if it is spam or not. This technique is more likely to catch unknown spam campaigns, but it is also more likely to hit false positives if the message "looks" spammy or uses certain keywords.

Barracuda does content analysis as well, but the thresholds are higher, since the reputation system should catch most of the stuff up front.

In any case, we will definitely be tweaking it over the next week.

This screenshot shows the stats on the Barracuda since it was installed. Note that the "day" column shows relatively small numbers because it is only 2:00am. The Total column encompasses only two days of message traffic. The Blocked numbers show the number captured by the reputation system, before it even gets to quarantine. Percentage-wise, what we are seeing here is not unusual. Internet email really is that spammy--it's kind of amazing it works at all.


Paul R. Coen 03-16-2008 11:49 AM

As Axel said, we're going to be making adjustments
 
I've seen a few get through as well, mostly relatively innocuous stuff. In a couple of cases, it was a text-only email with a very bland subject line, a series of nonsense words or strings of random characters, and a single URL. There wasn't much else for the filter to go on, so until that source hits Barracuda's reputation filter (which it might, assuming the sites contributing to that are getting the same thing), it's hard to catch. Some of that stuff is currently only scoring a .8 or so (on a scale of 0 to 10), and looking at the messages, there's nothing hugely obvious about them to latch onto.

On the plus side, I haven't had to re-create my 40+ item "allowed" list that I needed with M+Guardian to avoid having it whack mailing list traffic that I actually want.

You can change your individual spam preferences if you go to http://spam.drew.edu and look under preferences. We currently have a system default score of "3.5" for spam. If you make that number lower, it'll be more aggressive when filtering your email, but you're likely to get more false positives and you'll have to really check the quarantine. If that's OK, or you don't care if you miss a few mail messages here and there, you can set the number lower. I wouldn't set it too low at this point, though, you're likely to suddenly get a ton of mail blocked.

Scott Wood 03-16-2008 12:32 PM

We're going to continue to be conservative with setting the system default "score" for messages considered spam, but we will make minor adjustments over the next few days.

We just changed the default threshold down to 3.25 from 3.5, so any message that scores higher than 3.25 will now be quarantined.

As Paul mentioned, people may want to lower their own levels individually by changing preferences at http://spam.drew.edu. Click on the Preferences tab, then click on the Spam Settings tab, and then under Spam Scoring change Use System Defaults to no. Click on the Save Changes button and then adjust the Quarantine number up or down. Click on the Save Changes button again to commit your changes.

If you adjust your number down, you will probably want to pay extra attention to your quarantine until you are satisfied you have a number that isn't producing false-positives (i.e. legitimate mail being quarantined as spam)

Ethan G. Marsh 03-17-2008 09:41 AM

Love the new Spam filter
 
I'd just like to say that I love the new spam filter. My quarantine was up to 30+ messages a day under M+ and I had to check it regularly because there were occasional false positives. With the new filter, I get about 1 new quarantined message a day, so far no false positives, and so far only a couple actual spam messages have slipped through. Needless to say, this is a huge improvement. Thank you!

03-17-2008 10:28 AM

Is there any way to tag as spam the messages that do get through the filter? It's sort of a weird learning process if you can't help it learn false negatives as well as false positives.

John D. Muccigrosso 03-17-2008 09:53 PM

Changes
 
I think Mr. Wyman has a point.

Leaving aside the quality of the tagging (I knew we had switched systems when spam started getting through to my inbox the other day)...

I'm someone who likes not to have what the system thinks is spam deleted right away, and I don't like to have to check "quarantine" either, since I use my own email client and not the awful web interface or - worse - the GroupWise client. The new system tags spam with [BULK], which meant I had to go and change my filtering rule so that this tag worked. No big deal, but it was another change to my set up, so I'm sympathetic to those who aren't so e-adept or so eager to fiddle with the settings every few months. (Why on earth it uses BULK instead of SPAM is a mystery to me.)

On the positive side, now that I've set the spam filter to 2, everything seems to work well. Also the whitelist is better because it actually seems to work on the "from:" address (though I haven't had much chance to see this in action).

John D. Muccigrosso 03-17-2008 09:53 PM

Quote:

Originally Posted by Jennifer A. Fox
Is there any way to tag as spam the messages that do get through the filter? It's sort of a weird learning process if you can't help it learn false negatives as well as false positives.

Yes!

Since I've also got the quarantine off, it would be good to be able to teach it with some other mechanism.

03-18-2008 10:14 AM

I keep lowering and lowering my spam scoring numbers, and more and more spam is being delivered to my inbox.

Could someone post a description (in English!) of what "tag," "quarantine," and "block" do and how their scales run, so I can understand how to change my settings? The "spam scoring" preferences box is completely bewildering, at the top it says the scale runs from 0=not spam to 9=definintely spam, but then the sliders below, which are the only numbers in the box, seem to run from 1=definitely spam to 10=not spam. The info at the help button doesn't help unless you already understand these scales.

15 spams in my inbox this morning, and 2 more arrived in the 2 minutes it took me to type this posting! I'm not sure I agree with Axel's premise that a lot of false negatives are better than a single false positive.

Mike Richichi 03-18-2008 11:43 AM

Basically, "Tag" , "Quarantine", and "Block" refer to how the firewall deals with spam.

"Tag" adds a [bulk] string to the subject line, which an email client can use for filtering decisions. That's how John is choosing to filter his email.

"Quarantine" places the messages in the spam.drew.edu quarantine, and generates the nightly messages, and allows you to release and whitelist individual addresses. This is the functionality that is most like the M+ Guardian was.

"Block" means don't let the user see the message at all--it simply goes away. Obviously, this is the most risky in terms of losing false positives.

The numbers from 1-10 are the score that the Barracuda assigns every message based on the tests it uses to determine spam. 0 is "definitely not spam" and 10 is "definitely spam". You can see these scores by looking at the message source in Groupwise (or "message headers" or "original message" in other clients--basically, the full text of the email as sent). It's in the X-Barracuda-Spam-Score: header.

Looking at that, I've currently set my quarantine level to 0.55--I've gotten some legitimate spam that scores at 0.5 (which seems odd to me and I think we'll learn some more about it, but part of it is that the Barracuda does less content analysis and more reputation analysis of senders, IP addresses, web forms, etc.). I get some bulk mail from legitimate senders that scores around 1.5-2, but those tended to get quarantined by M+ Guardian, and certainly most of them are things that I don't need to read. I'd suggest going down that low if you are of a mind that a few false positives are less of an issue than getting spam in your mailbox. If spam comes through, look at its score and adjust accordingly.

In terms of the training issue, there are some plugins available to classify messages as "spam" and "not spam" but they're not officially available for our supported clients, and the protocol isn't documented so we can't do our own. That would probably work well, but it takes 200 messages to train the database (for each user). Of course, you can give it legitimate messages and spam so it learns the difference. We're continuing to investigate that. For what it's worth, you can also email spam (make sure you "forward as attachment" so headers are preserved) to spam@barracudanetworks.com, and they use that data to improve their algorithms and rules. It may not have an immediate effect but it should help in the long term.

John D. Muccigrosso 03-18-2008 06:39 PM

0-10?
 
Like Mike I've got my spam slider set pretty low (2 now, IIRC), and have gotten very few false negatives so far, mainly a couple of lists I subscribe to.

Doesn't this suggest that the Barracuda scale is really pretty poorly calibrated?

I also would like an easier way to whitelist without using Quarantine, but maybe I'll move over to that. Is it possible to view the quarantine from a plain old imap client?

Is the Bayesian filter one of those plug-ins that isn't activated (yet)?

03-19-2008 09:57 AM

More Spam Than Ever
 
With the last program we were using, much fewer spam emails got through than now. I constantly am getting emails about people wanting to deposit money in my bank account, women who want to hook up with men, working from home and getting paid.
I hate this, I wish we had stuck with the old one. I just thank god I wont be using the Drew mailing system much longer.

Scott Wood 03-19-2008 02:22 PM

I see that you've changed your settings, so you can expect to receive a lot less spam now.

I've noticed a few instances where people chose settings that will probably result in either additional spam in their Inbox or legitimate mail being discarded. Just to review:

There are three settings people can change: Tag, Quarantine and Block Most people will only want to change the Quarantine setting. If you are receiving too much spam, you can experiment with lowering the quarantine number. As you lower the quarantine number, you increase the chances that a legitimate incoming email message will end up in your quarantine. You will probably want to review your quarantine more frequently after making changes and perhaps whitelist legitimate messages that are being caught.

By default, we've set Block and Tag levels to 10 (disabled). If you choose to lower your Block number, it is not advisable to go much lower than 7. We've seen legitimate email score as high as 3 and I think in some circumstances might score higher. It's best to just quarantine these messages instead of Blocking them. If you end up with more messages in your quarantine than is manageable *and* you aren't seeing legitimate email messages in your quarantine, you may want to consider lowering your Block level, but we recommend being very conservative about making changes to the Block number.

Some people prefer use the Tag option. This adds [BULK] to the subject of any message that scores higher than your tag level. You can create a GroupWise rule to test for the presence of [BULK] in the subject of a message and move it to a designated SPAM folder. This allows you to quickly see suspected spam by viewing an email folder instead going to the web interface ( https://spam.drew.edu) or waiting for your daily quarantine report.

Hopefully this clears up any confusion about changing spam levels, but feel free to post followup questions here or to contact the CNS Helpdesk at x3205

John D. Muccigrosso 03-26-2008 09:13 PM

New quarantine
 
OK, so now quarantine seems to be activated on my account, even though I've set the quarantine slider to 10.

Oddly, the account name isn't mine...or not the simple version of mine anyway. It's actually:

user=jmuccigr.emppo1.drewdom@drew.edu

Jonathan B. Reams 03-26-2008 09:43 PM

Quote:

Originally Posted by John D. Muccigrosso
OK, so now quarantine seems to be activated on my account, even though I've set the quarantine slider to 10.

Oddly, the account name isn't mine...or not the simple version of mine anyway. It's actually:

user=jmuccigr.emppo1.drewdom@drew.edu


Actually that IS your account name. If you look closely you'll see your name, followed by the post office you're on, followed by the drew domain name. Think of it as a mailing address; if I sent you a post card at "John D. Mucciogrosso - Drew", I would not only get the post card back, but probably a snarky note from the post office asking why I presumed that they would know who and where you were from just "Drew". Fortunately, the GWIA is smart enough to be able to translate the internal addresses of user.post office.domain@internet domain into something the rest of the world can use and remember. This is pretty common on corporate email systems.

E. Axel Larsson 03-26-2008 10:59 PM

Yes, but that doesn't explain how an email message came in to the system using the fully-quallified name. Someone or somethng would have had to have known about that address...

Have you received any mail addressed to jmuccigr.emppo1.drewdom@drew.edu before?

John D. Muccigrosso 03-27-2008 11:01 PM

Quote:

Originally Posted by Jonathan B. Reams
Actually that IS your account name. If you look closely you'll see your name, followed by the post office you're on, followed by the drew domain name. Think of it as a mailing address; if I sent you a post card at "John D. Mucciogrosso - Drew", I would not only get the post card back, but probably a snarky note from the post office asking why I presumed that they would know who and where you were from just "Drew". Fortunately, the GWIA is smart enough to be able to translate the internal addresses of user.post office.domain@internet domain into something the rest of the world can use and remember. This is pretty common on corporate email systems.

I know the difference, but in actual fact jmuccigr@drew.edu is my email address, and the other is just internal routing. Time was jmuccigr@Drew.edu pointed to this crazy "daniel" machine, now it points elsewhere, yet my email address by any reasonable definition has ever been the same (ok, ever in this case is 10 years).

John D. Muccigrosso 03-27-2008 11:04 PM

Quote:

Originally Posted by E. Axel Larsson
Yes, but that doesn't explain how an email message came in to the system using the fully-quallified name. Someone or somethng would have had to have known about that address...

Have you received any mail addressed to jmuccigr.emppo1.drewdom@drew.edu before?

I don't think so, but if it was delivered to my inbox along with the other mail I would likely not have noticed.

More important to me is why this other address is being treated as a valid alternative address by the system. When I log in, it's as jmuccigr, so it seems to know who the person is to whom this address is assigned.

A bug, I'd say.

E. Axel Larsson 03-27-2008 11:40 PM

Quote:

Originally Posted by John D. Muccigrosso
I don't think so, but if it was delivered to my inbox along with the other mail I would likely not have noticed.

More important to me is why this other address is being treated as a valid alternative address by the system. When I log in, it's as jmuccigr, so it seems to know who the person is to whom this address is assigned.

A bug, I'd say.

GroupWise knows that jmuccigr is a shortend version of jmuccigr.EmpPO1.DrewDOM. The Barracuda has no idea that is an alias. It knows nothing about GroupWise. It's just a gateway and will create a quarantine box for any valid address that GW accepts.

It's not a bug at all, since it's a valid GroupWise address. The question then is how'd that address get out there and be used outside of Drew. That's a question I can't answer without knowing more about the message that was captured into quarantine.

Ginny Palmieri 03-29-2008 10:47 AM

Logged out at random
 
Does anyone know why Barracuda repeatedly bounces folks out of a session, stating Invalid Username or Password. The usernames and passwords are correct - leaving them filled in as they are and just clicking on the Login button will successfully log one back into the session, but as soon as the person tries to execute an action, they're bounced out to the same error screen again. This may happen repeatedly and then spontaneously stop, may not happen at all through several successful actions, or may occur so persistently that the user gives up.

Anyone know why or how to make it go away?

John D. Muccigrosso 03-29-2008 12:50 PM

OK, so since I deleted the quarantine message, how do I get back there?

E. Axel Larsson 03-29-2008 04:38 PM

Quote:

Originally Posted by Ginny Palmieri
Does anyone know why Barracuda repeatedly bounces folks out of a session, stating Invalid Username or Password. The usernames and passwords are correct - leaving them filled in as they are and just clicking on the Login button will successfully log one back into the session, but as soon as the person tries to execute an action, they're bounced out to the same error screen again. This may happen repeatedly and then spontaneously stop, may not happen at all through several successful actions, or may occur so persistently that the user gives up.

Anyone know why or how to make it go away?

I have not seen this issue before. How are you logging into the Barracuda? Logging in to iChain by going to https://spam.drew.edu/ in your browser or using the "tab" in WebAccess? or clicking a link in a Quarantine report?

Ginny Palmieri 03-29-2008 09:41 PM

Quote:

Originally Posted by E. Axel Larsson
I have not seen this issue before. How are you logging into the Barracuda? Logging in to iChain by going to https://spam.drew.edu/ in your browser or using the "tab" in WebAccess? or clicking a link in a Quarantine report?


Really? It's been happening to a number of users in the library, too. I'm logging in to iChain by going to https://spam.drew.edu. I rarely use WebAccess, and haven't used it at all to access Barracuda.

E. Axel Larsson 03-30-2008 12:36 AM

Quote:

Originally Posted by Ginny Palmieri
Really? It's been happening to a number of users in the library, too. I'm logging in to iChain by going to https://spam.drew.edu. I rarely use WebAccess, and haven't used it at all to access Barracuda.

I thought I had an idea what might be causing it (and a possible solution), but if your description of how you are logging in is accurate, that just contradicted it unfortunately.

Are you certain the behavior is occuring when you go to https://spam.drew.edu/ and log in yourself at the Drew-branded uLogin screen? As opposed to clicking on the link in the Quarantine report in your email and being logged in to Barracuda automatically? (thus bypassing the iChain login)

E. Axel Larsson 03-30-2008 01:10 AM

Quote:

Originally Posted by E. Axel Larsson
I thought I had an idea what might be causing it (and a possible solution), but if your description of how you are logging in is accurate, that just contradicted it unfortunately.

Are you certain the behavior is occuring when you go to https://spam.drew.edu/ and log in yourself at the Drew-branded uLogin screen? As opposed to clicking on the link in the Quarantine report in your email and being logged in to Barracuda automatically? (thus bypassing the iChain login)

Also going to https://spam.drew.edu/cgi-bin/index.cgi (or more to the point, bookmarking that URL), would be another way to do it. That would give you Barracuda's own login form and bypass the iChain login.

They key thing I need to know is if you have an active iChain session at the time you are seeing the problem, or are you only seeing the issue when you are not logged into iChain.

If the latter is what is happening, I may have an idea what is causing it and a possible solution...

E. Axel Larsson 03-30-2008 04:18 AM

Quote:

Originally Posted by Ginny Palmieri
Does anyone know why Barracuda repeatedly bounces folks out of a session, stating Invalid Username or Password. The usernames and passwords are correct - leaving them filled in as they are and just clicking on the Login button will successfully log one back into the session, but as soon as the person tries to execute an action, they're bounced out to the same error screen again. This may happen repeatedly and then spontaneously stop, may not happen at all through several successful actions, or may occur so persistently that the user gives up.

Anyone know why or how to make it go away?

Through some reconfiguration of our web load-balancer, this issue may now be solved. Let us know if this is still an issue.

E. Axel Larsson 03-30-2008 05:43 AM

Quote:

Originally Posted by John D. Muccigrosso
OK, so since I deleted the quarantine message, how do I get back there?

If you go directly to https://spam.drew.edu/cgi-bin/ you should see a Barracuda login form instead of a Drew uLogin form and iChain won't try to log you in automatically if you are already logged in to another iChain site.

From there, you can enter the fully-quallifed jmuccigr.EmpPO1.DrewDOM address and your existing uLogin password. Barracuda just passes those to GW for validation, and GW is smart enough to know that address is the same and it should let you in with your uLogin password.

Ginny Palmieri 03-30-2008 10:32 PM

Quote:

Originally Posted by E. Axel Larsson
Through some reconfiguration of our web load-balancer, this issue may now be solved. Let us know if this is still an issue.

It already seems much more stable than it was. I'll keep a careful eye out for the behavior over the next couple of days. Thanks.

04-25-2008 03:29 PM

Drew emergency alert spam blocked
 
The email sent as part of Drew's emergency response test yesterday landed in my spam pile with a spam score of 1.14. This is quite a bit higher than emails that slipped through, like the much appreciated offer I received to credit my ATM card with $1.8 million (spam score =0.00) or the less attractive offers in Russian for business center workshops (spam score=0.60) and a fresh personal envoy (spam score = 0.38).

I don't have the messages in my trash anymore so don't know what the spam score was, but automated emails from the library generated by online interlibrary loan requests were also flagged as spam.

I do have my filter set at the very low threshold of 1, and realize these Drew messages aren't really coming from within the system. But thought I'd let the powers-that-be know that the emergency notifications, at least, may be less effective than they might be, in case there's anything you can do to fix it (other than making me set my spam threshold higher).

E. Axel Larsson 04-25-2008 04:11 PM

Quote:

Originally Posted by Jennifer A. Fox
The email sent as part of Drew's emergency response test yesterday landed in my spam pile with a spam score of 1.14. This is quite a bit higher than emails that slipped through, like the much appreciated offer I received to credit my ATM card with $1.8 million (spam score =0.00) or the less attractive offers in Russian for business center workshops (spam score=0.60) and a fresh personal envoy (spam score = 0.38).

I don't have the messages in my trash anymore so don't know what the spam score was, but automated emails from the library generated by online interlibrary loan requests were also flagged as spam.

I do have my filter set at the very low threshold of 1, and realize these Drew messages aren't really coming from within the system. But thought I'd let the powers-that-be know that the emergency notifications, at least, may be less effective than they might be, in case there's anything you can do to fix it (other than making me set my spam threshold higher).

Thanks for letting us know.

We can add the servers for those outside services to the spam filter's global whitelist. The NTI Connect-ED system for emergency notification should have already been on there, so there is a possibility that the company is now sending those messages from a different set of servers and didn't tell us (perhaps when they were acquired by Blackboard...)

We will look into updating the whitelist addresses for Connect-ED and also see if we can find out where the Interlibrary Loan messages come from and add those as well.

05-14-2008 07:16 PM

time stamp
 
When messages get rescued from the spam filter, they're time stamped according to when the rescue happened rather than when the message was sent. This sets up some issues with correct dates on messages, not to mention bizarre ordering of messages, for example when there are multiple recipients on a message that gets blocked, a reply from another recipient comes in, and then later the original released from spam block. Mail services like yahoo put messages taken out of spam folders back into the inbox with the original time stamp. Any chance Groupwise/Barracuds can do the same?

Scott Wood 05-15-2008 06:14 PM

The Date: header on a message released from the Barracuda quarantine has the correct date, but GroupWise displays the received date, which is the date and time that GroupWise received the message.

You can have GroupWise show the Created date and this will correspond to the Date: header on the message. To add the Created date, right click on one of the column headings (ie From, Subject, Date, etc), left click on "more columns" and then add Created from Available columns to Selected Columns.

In most cases, the Created date will be the same or perhaps a minute earlier than the received date, but in the case where a message was released from quarantine, the Created date will show the date that the Barracuda received the message and the Date will show the date that GroupWise received the message.

If you display your Mailbox folder sorted by Created date, I think you'll see things in the order you are looking for.


All times are GMT -4. The time now is 04:31 PM.

Powered by vBulletin® Version 3.5.7
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.

Drew University is not responsible for the content of posts made on this site. All posts and comments reflect the opinion of the author.