Email Filters, Spam and Computer Viruses Explained!

CyberXpress has two levels of email filter...
  1. The first stage rejects ("bounces") some viruses and some types of forged or mis-formed emails.  If you were referred to this web page by a mail rejection warning please read the [Bounce Warnings] section below.
  2. The second level of protection depends on the options the customer has taken - with three settings for spam and four for viruses (there is no second-level filter until you ask for it). Mail that gets stopped at the second filter is not lost/returned but held in a special area at the mail server. After some time, usually a week, a summary of the held messages are sent to the customer, who may choose to have some sent on. Otherwise, after a while (more than another week later) they are deleted (with no bounce message to the sender).
If you have a CyberXpress (or chch.planet.org.nz) mail account you can ask to have a mail filter activated for your account for free - all you have to do is ask , and filter options can be changed (some customisation of the filter is free, some incurs a little cost).  
* Be aware that the virus filter does not block every virus, but it does spot a surprising number of new viruses that conventional scanners might miss, because it works differently.  We assume you will also have a  good, up to date commercial anti virus program on your computer. And note that spam filters sometimes hold back genuine mail (or let spam pass)... hence the need to study the automatic summary for good messages.
  [Enabling a filter] [Filter options] [Report options] [What is SPAM?] [What are computer viruses?] [What is forged email?]

To enable a virus filter for your mailbox

  1. Decide if you want us to filter just spam or just email viruses or both (if you don't specify we will do both).
  2. Send an email to filter@cyberxpress.co.nz
    • Set the subject to "Yes Please!"
    • If you have problem mail from just one or two senders  let us know the details
    • If you just want to filter viruses or just spam, or want any of the other options below, let us know.
    • By default you get a virus+spam filter, with the virus filter "normal" and weekly summaries; this is probably the best to start with unless you are accustomed to getting strange mail that needs very prompt replies.

* Check the first summary well...
  •  Are there any messages being filtered that shouldn't be?  If so let us know (copy lines from the summary report). We can send those held messages and adjust the filter to avoid the mistake in the future.
  • If there is an annoying number of spam messages getting through contact us with the subject lines and dates of them, we may be able to adapt the filter to these.
    		•
    Mail Filter Options
    • If you run a business where it is important not to have good mail misinterpreted as spam or a virus, our system of holding (rather than immediately destroying) suspect mail is good, but you probably need a summary daily rather than weekly. You can ask for a summary other than the default of weekly, but there is a slight cost depending on your requirements (email filter@cyberxpress.co.nz and explain what you want).
    • There are custom filters possible; blocking specific annoying senders is a common request (simply holding them like "spam", but putting them in a separate "other" folder is the default, and free, but automatically sending specific "bounce" messages back is an option that could be appropriate in some cases). If you have special requirements, such as restricting the types of messages that you will allow into your mailbox, or limiting the size, or automatically translating HTML to plain text, please ask us. Not all special mail filters have a cost associated with them, but some do incur a small charge, and you will be advised if that is the case.
    • You can have just spam rejection or just virus rejection (if you ask for a filter you normally get both).
    • Spam rejection currently has four options: none, normal, paranoid (holds anything that smells a bit like spam) and lenient (only blocks messages very likely to be spam)
    • Virus rejection has four levels of detection:
      1. 0: Off (no virus filter other than "level one", as described in the introduction).
      2. 1: Normal (spot many PC viruses in attachments)
      3. 2: Paranoid (don't allow any executable through, don't allow any HTML other than very simple, non-executable content that does not refer to external websites)
      4. 3: Lenient (block only some of the more common viruses and PC executables where the attachment "lies" about its type).
    • Specific addresses of friends, mailing lists, etc. can be specified to pass without going through the filter (take care in case they accidentally send viruses!).
    • Specific sources (or subjects) of annoying mail can be specified to always block.

    * You can specify addresses (or subjects, or any header lines) to always accept or always reject when you ask for the filter to be enabled, or you can email filter@cyberxpress.co.nz to request a change in the filter options.

    Mail summary reports available


    		You can request, via email, several types of reports concerning your mail. Most of these reports only apply to customers that have requested a mail filter of some type. The summaries are always mailed back to the normal mailbox. Send mail to the filter@cyberxpress.co.nz address with a suitable subject line chosen from the list below...
    • SEND SUMMARY - send a summary of all mail (filtered or not) recently sent to your mailbox. You can then request any of these messages be re-sent by replying to filter@cyberxpress.co.nz with the subject "RESEND".
    • SEND FILTER SUMMARY - send a list of messages currently held back by the filter since the last weekly summary.
    • SEND ANALYSIS - requests a short analysis of the email messages identified in the body (e.g. using From/Date/Subject lines from a previous summary); where they really came from, are they likely to contain viruses, why were they blocked, etc. This may take some time to process.
    • SEND FULL SUMMARY - sends summary reports of copies of messages that can be re-sent (by category, and a combined list), going as far back as possible, plus the following two summaries, of the mail log and POP activity...
    • SEND MAIL LOG SUMMARY - send a list of mail in and out relating to your mailbox.
    • SEND POP SUMMARY - send a summary of what mail has been "popped" (downloaded to a computer from your mail box) recently.

    * Note: if you don't have a mail filter enabled only the last two reports are possible.

    What is SPAM??


    		Email is cheap and easy to use, and it is often just as easy to email 2 million people as 2 people! Unfortunately this makes it easy for people to send many annoying messages, with the idea that even if only 0.1% result in business they will make a fortune, even though millions of people may be upset. Spam has become the popular name for unsolicited (usually commercial) bulk email, a name that dates back to Bulletin Board Systems and an episode of Monty Python's Flying Circus . You can find more information here .

    *Given the pornographic and illegal content of a lot of the spam now, there is good reason to try to get rid of it. Unfortunately there is no 100% certain method of solving the problem.  Another risk from spam is the huge number of bogus deals - often Nigerian scams about transferring money to help some widow of  an African leader, or plausible advertising that get you to fill in your credit card details... never trust unsolicited emails from unknown sources. They are out to get you!  See: http://www.scamwatch.com/

    Possible anti-spam strategies
    • Keep your email address secret - may work for a while, but eventually spammers will probably find it. And now spammers send to zillions of random email addresses (usually from other people's computers that have been hacked into!)
    • Reply to the senders, asking to be taken off their lists - works well if the sender is a well behaved mailing list operator, otherwise does no good (they probably work from a huge CD-ROM of stolen email addresses) or may simply confirm to them this is a valid email address, so it will be  targetedmore in the future!
    • Legal action - some law in the USA places hopelessly pathetic restrictions on spam. I wish a good law (backed up with action) would fix the problem, but don't hold your breath. There are people lobbying politicians to say it is their right to force email into people's mailboxes, even if it is a cost to the recipient. Possibly the best attack is to clamp down on email forgery , since most serious spammers lie blatantly about who really is sending the message.
    • E-mail filters - either on your computer (looking for subjects or senders known for spam) or on the ISP's mail server (more efficient, and can be updated efficiently with new filter details). CyberXpress offers a free spam and virus filter for its customers.  (See above ).

    What are Computer Viruses??

    		 Computer viruses are pieces of program designed to sneak into computer systems (now often quickly by email, but it used to be slowly, on diskettes and from bulletin board downloads in the good old days). They they try to copy themselves from there onto other systems.  For more information see: http://www.faqs.org/faqs/computer-virus/faq/

    * Some do direct damage to files on your computer, or even send some of your private files off into the Internet! Even if all they do, like the early "stoned" virus, is to display a message and stop your computer, imagine the damage that could do in the context of a hospital computer in some life-support application.  The cost of  cleaning up the damage of computer viruses all over the world is huge .

    How are viruses transferred through email
    There are three main ways a virus can arrive in an email message:
    1. As an attachment - requiring you to decide to open it (perhaps the text of the message says "here is that photo I promised to send you"); when you open the attachment a program might run (this tends to be specific to MS Windows systems, but in some cases Macintoshes, Linux/Unix and OS/2 could be affected by the contents of the attachment).  Not that the attachment could even be a word document, with Visual Basic virus scripts.
    2. As something (usually an "iframe") referred to in HTML code as your mail reader is displaying the message - this potentially causes the virus code to run even though you haven't said you want to open any attachments! Not all mail readers are susceptible to this trick - if you have Miscroft's (Outlook or Outlook Express) please see their technet website for an update to fix the problem. Further Reading:
      1. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS99-042.asp
      2. http://techupdate.zdnet.com/techupdate/stories/main/0,14179,5105200,00.html
    3. Active content (Active-X or Java) within an email message (true "plain text" messages cannot have executable code, that is why they are sometimes the only type of message accepted by some people). Again, these don't need to get the sender to open an attachment or do anything other than look at the message itself on a system that can be infected!

    What can you do to avoid computer viruses?
    • Only accept "plain text" email messages (by choosing a safe, simple mail reader instead of Microsoft Outlook for example), or possibly specifying to your mail reader (if it has the option) that HTML, etc. will not be accepted, or asking us to enable an email filter that won't pass any HTML or MIME attachments (a moderately severe way to remove risk, since many people expect people will receive forms of email that are dangerous).  Sticking to plain text (if you can enforce it) stops the second two methods of infection, and means your computer can only be infected from incoming email if you choose to do something with an attachment.
    • Use conventional commercial virus scanners - they now often check mail as it comes in. By "conventional" I mean they probably look to fragments of known viruses, which means new viruses will get through virus scanners for a while.  Everybody using a Microsoft Windows system now really must have a virus scanner and that is is checking incoming email automatically - and make sure it is kept up to date!
    • Turn off the use of Active-X and Javascript in messages (if your mail reader lets you do this).
    • Don't open attachments from unknown senders (unfortunately this doesn't help much now - viruses may come from your friends' computers without their knowledge, and some viruses don't need you to decide to open an attachment).
    • Get a virus filter enabled on your CyberXpress mailbox!

    Forged Email
    When you receive an email the sender you see listed is simply what the sending program put into the "From:" header line - it need not be the real sender. Some checks are made at some mail servers on how truthful various parts of the mail header information is, but generally the name of the sender is quite easy to forge .  If you care a lot about proving the mail is from yourself and nobody else, there are ways of adding electronic signatures that are hard to forge.  But most of the trouble with forged mail comes from the fact that computer virus writers, and spammers, love to use it.

    Getting a message from fred@msn.com saying you can save heaps on insurance does not mean fred really sent the mail. Spammers falsify their true identity so they can keep spamming a little longer, but eventually they will be tracked down and loose their Internet account.
    Virus writers now often pick up lists of  email addresses from each infected computer and send out new infected messages to all these people but with a sender address of not the infected machine (since the complaints might lead to the virus being found earlier).

    These two factors combine to make a nuisance for system administrators.  People complain about spam or viruses coming from one person, when it didn't, yet we tend to have to go through the logs and prove that the ISP and its customer aren't to blame.

    * But the fact that spammers forge the sender's email address and often the hostname of the sending computer, can actually help spot spam.  Exactly how we do this will have to remain a secret (in case any spammers are watching!). But you can learn a lot about where mail really came from by looking at the "Received: from...by..." lines if you know how to view the full headers for a received message.
    • In Netscape choose "View Source" from the View pull-down menu;
    • in MS Outlook (or Outlook Express) choose "Properties" from the File menu then click on the Details tab.
    • For other programs see http://spamcop.net/fom-serve/cache/19.html .  

    Sample headers from a real spam message:

    In the following example the message claimed to come from a hotmail.com address but really came from an unnamed computer (" unknown" here means there was no official "reverse lookup" for the computer) with the IP address 202.64.208.252 which pretended to be called john000 (not a valid hostname) and might have come from Taiwan (the Return-Path and Message-ID lines mention "pavo.seed.net.tw", but that could also be faked, as could the "Received: from gcn " section that claims the computer before 202.64.208.252 in the path was tpts6.seed.net.tw).  We can look up that IP address to see where it was, but that is beyond the scope of this discussion (and usually there is no point trying to complain to whoever looks after that part of the Internet.. they have probably gone by the time you react).

    Another characteristic of spam (although also of good mailing lists and "Blind Carbon Copies"): even though it was really sent  to  Mark.Aitchison@cyberXpress.co.nz, it claimed to be addressed to (non-existent) accounts like "MAIL2001-1.TXT" (the @protov.plain.co.nz was inserted because no email domain was given in the original headers); the real destination never occurs in the To: line or any Cc: line...

    Return-Path: <3WMnBq9Q2Qk2pQ@ pavo.seed.net.tw>
    Delivered-To: aitchison@protov.plain.co.nz
    Received: from john000 (unknown [202.64.208.252 ])
        by protov.plain.co.nz (Postfix) with SMTP id 3285E3C2AC
        for < Mark.Aitchison@cyberXpress.co.nz>; Wed, 11 Sep 2002 08:37:24 +1200 (NZST)
    Received: from gcn
        by tpts6.seed.net.tw with SMTP id cbrEnNCtsNals2I6WIbAOIv;
        Wed, 11 Sep 2002 04:27:05 +0800
    Message-ID: <IIIdaH3ncJR@tpts1.seed.net.tw>
    From: pandaguy@hotmail.com
    To: MAIL2001-1.TXT@protov.plain.co.nz ,
        MAIL2001-2.TXT @protov.plain.co.nz, MAIL2001-3.TXT@protov.plain.co.nz
    Subject:NEW TECHNOLOGY - Smart IP Technology (DVR)
    MIME-Version: 1.0
    Content-Type: multipart/related;
        type="multipart/alternative";
        boundary="----=_NextPart_mnR48JNKuBDkF21TfbNpbeUx8"
    X-Mailer: oXSiwLoGYPsxRvBOKDoyy3r3L
    X-Priority: 3
    X-MSMail-Priority: Normal
    Date: Wed, 11 Sep 2002 08:37:24 +1200 (NZST)

      Bounce Warnings

    		 If you  get a "bounce" message warning that some message cannot be delivered, yet you don't recall sending such a message it could be because:
    1. Your computer is infected with a virus , and tried sending out a message without your knowledge, but was caught by our mail server (or some other server), or
    2. Somebody else's computer is infected and has sent out an infected message claiming to be from you (viruses tend to forge the sender), so the warning message is incorrectly being sent to you.

    * If you have tried to send an email that looks a lot like a virus (or have tried to send from a location that is known for spam or is not a valid location for sending mail with the domain name given), yet cannot see what the problem is you may need to email the filter administrator, filter@cyberxpress.co.nz , or phone us at (064) 3 364-5888.

    		If you have any further questions email: filter@cyberxpress.co.nz


    Copyright © 2002 CyberXpress (a division of Plain Communications Ltd)