Vous êtes iciUNIL > Centre informatique > Documentation > Exchange > English > Mailcleaner

MailCleaner: the anti-virus and anti-spam filter

What is MailCleaner?

Mailcleaner is a product developed by Fastnet through which all e-mails destined to a UNIL e-mail address go. Each message is analysed in order to determine if it contains a virus, presents a potential security threat or should be considered as spam.

If the analysis sends a positive result the message is transformed and its title is changed so that the addressee can choose to classify or easily erase it (by using an automatic filter, for instance). MailCleaner can also be configured so that messages suspected to be spam are quarantined, therefore not corrupting the visual space of your personal mailbox.

The Mailcleaner filter adds a supplement of 1 to 3 minutes when it redirects the message. This does not reflect the real amount of time used by that process; it is rather the consequence of a technical choice in the system’s architecture, which allows it to deal with temporary jams.

How does the anti-virus work?

When a message arrives in the user’s inbox, the anti-virus analyses it following three steps:

  1. The attached documents’ names are analysed. If the file extension indicates a potentially dangerous item (such as .exe, .com, etc.), the message is deleted and replaced by a note informing the addressee of the suppression. Files presenting two extensions (such as .exe.doc, for example) are also sent to trash and not delivered with the message.
  2. The system analyses the attached files themselves to establish whether they contain a virus. If they do, the infected documents are erased from the message.
  3. MailCleaner analyses the content of the message’s body to ensure that there is no other threat in the e-mail (for example, HTML code exploiting a security flaw).

If one of the tests is positive the system cleans the message, indicates the cleaning of the message by adding a note in the message’s body and adds the mention {virus?} in the message’s subject.

How does the anti-spam filter work?

After being checked by the anti-virus filter, the message is then sent to the anti-spam filter, where it undergoes a successive number of heuristic tests to detect sentences or turns of phrase often used by spammers. The system examines, amongst others:

  • capital letters ratio;
  • HTML code ratio;
  • the presence of several internet addresses;
  • the presence of internet addresses from .com, .biz domains;
  • the frequency of certain characteristic words;
  • the sender’s address (mailing list or not).

Every test gives a grade to the message. At the end of it all, the message is ranked as spam if the sum of the grades is superior to a given limit (≥ 5). Lines indicating tests results are added in the message’s header. These lines are recognizable to their “X-MailCleaner” label. If the limit is exceeded, there are three options:

  1. The mention {spam?} is inserted into the message’s subject. This allows each addressee to erase this kind of messages in a more efficient and easier way (by using an automatic filter, for example).
  2. MailCleaner keeps the spam message in the addressee’s quarantine; the latter can access the quarantine and then release it if the message turns out not to be spam.
  3. The system immediately sends to trash whatever it considers as spam.

The configuration set up for MailCleaner at UNIL has the second option by default; this can be changed in the web interface available at https://mailc.unil.ch.

Quarantaine

Instead of receiving in one’s own mailbox each message considered as spam, it is possible to set the system up so that it keeps them in quarantine. In this case, only a quarantine report is sent to the user. Messages are kept in quarantine for 30 days and then erased. This practice is strongly recommended.

Quarantined messages can be accessed at any moment but also transferred out of quarantine through the web interface available at https://mailc.unil.ch. This page is accessible through the UNIL network or via crypto.unil.ch when outside campus. The user has to provide their own UNIL credentials (that is, the same as for the webmail) in order to access the interface. In the list of quarantined messages, the  button allows to “force a message,” that is, request Mailcleaner to move the message to the inbox. It is also possible to request the analysis of a message filtered by mistake  or to simply browse through the reasons the message was filtered .

Is the anti-spam filter infallible?

If the tests run by the anti-spam filter were systematically successful, spam would no longer be a problem. In reality, although success rates are high (more than 95%), measures have to be taken to correct the system’s possible mistakes, and this can be done in two different ways:

“False positives”

False positives happen when a rightful message is wrongly labelled as spam. If quarantine is not activated, such a message is to be found in the messaging application, possibly in a folder containing all the other spams. It is therefore important to regularly access the folder where spam messages are automatically moved into, in order to correct the possible false positives. In the same way, if quarantine is activated, the user must keep an eye on the quarantine reports to detect false positives and request their transfer out of the quarantine (see below).

“False negatives”

False negatives happen when a spam message goes through the MailCleaner filter and is sent to your inbox without being labelled as such.

In order to improve MailCleaner, reporting these errors is very helpful and can be done by transferring the messages to the following addresses:

  • false positives must be sent to : error@mailcleaner.net (if the false positive is quarantined, the simple use of the  button will do).
  • false negatives must be sent to: spam@mailcleaner.net

For the analysis of the errors to occur in perfect conditions, the ill-filtered message’s header should be included in the forwarding of the e-mail. Copying and pasting the content of the message as well as forwarding it the standard way could indeed reformat the message and the latter would become of no help to MailCleaner’s analysis team. Attaching the header of a message can be done in these various methods according to your messaging software:

Webmail
When the message is shown, choose “Display: raw” in the upper right part of the screen. A new window will then pop up with the header displayed.

Thunderbird
When the message is shown, go to View -> Header -> Complete, and click the “Forward” button in the toolbox.

AppleMail
When the message is shown, go to Mail -> Preferences -> Viewing, and choose “All” in the “Show header detail” section.
Forward the e-mail and then return to the default settings of header detail.

Outlook Express
Select the message and choose “Forward as Attachment” in the “Message” menu.

Outlook
Open the message. Go to the “Actions” menu, choose “Resend this Message”; click OK on the warning appearing afterwards (indicating that you will not be shown as the apparent sender of the message that is about to be sent) and modify the addressee field To: with the corresponding address.

Recherche:
 dans ce site:
   
   
 Go
 
rss/atom
Amphimax  -  CH-1015 Lausanne  -  Suisse  -  Tél. +41 21 692 22 11  -  Fax +41 21 692 22 05
Swiss University