Protection from spam and malicious messages

The HSC employs one of the industry's best spam filters, but it is important to keep in mind that no spam filter is perfect and some junk messages will get through to your inbox. Typically, our spam filter detects about 92% of all incoming mail as spam and discards it.

How it works
Our spam filter uses a two-layer approach. First, the source of the incoming connection is checked against a database of known mail servers around the world. Each server is scored continuously as to the amount of known-spam, relative volume, and other traits that would help to identify it as a spam source; this is known as the server’s "reputation score." We have set thresholds on our servers as to what scores we will block and what we will accept. If a sending server is somewhere in the "gray area", we will limit it to 10 messages per hour; this generally allows legitimate messages through but blocks large bursts of spam from recently-compromised servers. About 90% of all inbound e-mail traffic is blocked via reputation scoring.

Messages that make it through the reputation filter are then analyzed by anti-spam software. It looks at the content of the messages for known signatures of spam messages. Like reputation scoring, the anti-spam software also calculates a score and we have set thresholds for messages that will be dropped and those that will be accepted. On average, about 20% of the messages that make it past the reputation filter are subsequently dropped by the spam filter. If a message falls into the "gray area", we deliver the message to the intended recipient with the subject line prepended with "[SPAM]". Prior to July 1, 2015, this possible spam was tagged with "[SUSPECTED SPAM]". On average, about 20% of messages that make it past the reputation filter are subsequently dropped by the spam filter.

Marketing messages
One problem with spam filtering is discerning between true unsolicited messages (spam) and messages that are "spam-like" but may be of value to the recipient such as newsletters, purchase confirmations, listservs, and promotional messages that the recpient has either subscribed to or is receiving as a result of doing business with a company. These types of bulk messages are not considered true spam because they are often wanted by the recipient; therefore, we do not universally block them or flag them as "spam". However, the filter will generally recognize these and deliver them with the subject line prepended with "[BULK]". Prior to July 1, 2015, this type of bulk e-mail was tagged as "[SUSPECTECTED MARKETING]". You can use this subject tag to create a filter or rule in your Inbox to handle these messages as you see fit.

Our central e-mail servers scan the attachments of all incoming messages for known viruses and other malicious software (malware) using one of the most reputable anti-malware scanners. If malware is found, the attachment is stripped and replaced with a text file that contains information about the attachment and virus, generally either "ATT00001.txt" or "Removed Attachment.txt". In addition, the subject line of the message is prepended with "[VIRUS REMOVED]". The message is safe to open, and if you know the sender, you should contact them to alert them that their computer may be infected.

Unscannable attachments
Sometimes, an attachment may not be able to be scanned due to its size or because it is password-protected or encrypted. In those cases, we will deliver the e-mail message and its attachments intact, but we will attach the entire message to a warning message (“wrapper”) that alerts the recipient that the attachment could not be scanned and may be malicious. In addition, the subject line will be prepended with "[WARNING: MESSAGE A/V UNSCANNABLE]". If you receive one of these messages, you should carefully evaluate the sender of the message and the subject-- which are listed in the “wrapper” as shown below-- to determine if the message is safe to open:

If you recognize the sender and were expecting the attachment, double-click the attachment entitled "OrignialMessage.txt"; this will contain the original message in its entirety, including the attachments:

You should then evaluate the message and attachment again to ensure they look legitimate; if in doubt, delete the message or forward the message to the IMS Service Desk for further evaluation at spam@uthscsa.edu. Otherwise, you can open the attachment as you normally would, although we recommend saving it to your computer or a file server first so that it will be scanned again by your computer’s antivirus software as an extra layer of protection.

Messages that pass the spam and virus scanning are further scanned for suspicious content that does not yet have a known virus or spam signature. These messages can include phishing messages and scams, new viruses, or links to websites with malicious content (malware). This feature provides enhanced protection against new and evolving e-mail threats above and beyond our existing spam and virus scanning.

How it works
This feature uses heuristics or artifical intelligence to look for suspicious traits within messages. When a suspicious message is detected, it is quarantined for a brief period of time (less than four hours typically) to allow for the message to be rescanned periodically using updated spam and virus signatures. After the quarantine period expires, the message is released to the recipient but the subject is prepended with “[SUSPICIOUS]” and any URLs (links) in the message are modified to redirect through a web-based scanning service where the contents of the suspect web page are analyzed. Prior to July 1, 2015, this questionable message was tagged with "[SUSPICIOUS MESSAGE]". While the page is being scanned, you will see this message:

This scan typically only takes a few seconds. If the web page is malicious, it will be blocked and you will receive this message:

If the page is determined to likely not be malicious, you will be shown a copy of the page with an option overlaid to either continue to the site or to not:

Because the analysis and initial presentation of the page is done on a protected server and not done on your computer or device, it protects you from any potential malicious activity while you determine the legitimacy of the site. If you’re unsure as to the safety of the site, you should err on the side of caution and opt not to trust it.

Note: The web address of the protected server begins with https://secure-web.cisco.com; this is the address you will see in your browser’s address bar while the site is analyzed.

This is a web-based product and should work on all types of computers and devices.

The filtering described above takes place on UTHSCSA's central e-mail gateways. If you’re using Outlook, it has its own built-in junk mail filter and once messages reach your mailbox, Outlook performs its own spam filtering based on filters from Microsoft as well as any mailbox rules you've configured. Messages that are identified as spam via this filtering are typically put into the "Junk E-mail" folder. You should check this folder periodically for any legitimate messages that may have been misdiagnosed. With a couple of exceptions, this filtering is not centrally-managed; more information on using this filter is available on Microsoft’s website at http://office.microsoft.com/en-us/outlook-help/overview-of-the-junk-email-filter-HP010355048.aspx.