Protecting BAS from Malicious and Unsolicited Email
Malicious and Unsolicited Email
In practice, there are two distinct classes of message which we have to deal with and, while the average email user probably just regards both as a nuisance, each has quite distinct characteristics affecting how they are treated –
Viruses are almost exclusively a problem of Microsoft operating systems. These days the most important mechanism by which they spread is in email attachments. They can be very dangerous and can destroy large amounts of data in seconds. The good news is that we have software available which can scan files very rapidly and detect viruses with a very high degree of certainty. There are very few arguments about whether a file has a virus in it. The only real problem is a new virus which has not yet been identified by the suppliers of the virus-scanning software.
SPAM is unsolicited email. It is not dangerous in the sense of viruses. However, dealing with it can be a major waste of time something like 30% of the messages coming in to BAS are believed to be SPAM. Much of it involves dubious financial scams. A small fraction is pornographic some of it very nasty. Another development is the emergence of apparently respectable businesses selling electronic marketing techniques. These people own lists of email addresses and will send a mailshot to their lists for a fee. A problem for a service, like that described here, is that there is not always agreement on the definition of SPAM. What one person regards as unsolicited commercial email, another will regard as a newsletter which he must read to stay informed. This makes blocking of probable SPAM messages somewhat contentious.
Blocked Emails
We simply do not accept any messages coming from certain email servers. The sender of the message will see a short diagnostic message. (If the sending email server waits long enough to receive it frequently these senders drop the session as soon as it is clear that our relay is not going to accept their message. ) The intended recipient sees nothing.
These email servers are
- not in the DNS (the Internet naming system). There is definitely something dubious about an Internet email server which is not in the DNS and can only be identified by an IP no. This amounts to 1.8% of messages coming in to BAS.
- on our (BAS) Blacklist. This is a list (Currently there are around 100 entries in it.) of email domains which people have complained to me about. Most of these were because of really objectionable messages. A few are the electronic marketing companies mentioned above. In total, this amounts to 0.6% of messages a small fraction but remember much of this is seriously nasty pornography. The electronic marketing entries are perhaps more contentious but the feedback, which I get, invariably is that users do not want to have their time wasted by this kind of material.
Viruses
If the virus-scanning software finds something a short message is added to the email indicating the action taken.
WARNING: This e-mail has been altered.
Following this paragraph are indications of the actual changes made.
For more information about BAS’s MIMEDefang policy, see
For further help please contact :
British Antarctic Survey ITS Help Desk <helpdesk@nerc-bas.ac.uk>.
A known virus was discovered and deleted. Virus-scanner messages follow:
>>> Virus ‘EICAR-AV-Test’ found in file Work/msg-11600-4.zip/eicar.zip/eicar.com
Attachment File Name Checking
This a defence against “social engineering attacks” the attacker is attempting to persuade the local user to execute an attachment by concealing its true nature. This is really only a problem on Microsoft operating systems which have a history of being shipped with very permissive security settings allowing all sorts of macros to be executed if the user clicks on their icon . A well-known example, of this sort of thing, is a file name with a long string of blanks in the middle of it so that the file type is not seen. In fact, the great majority of attachments picked up by this check are .PIF files there is no good reason why anyone should send such a file in an email ?
When a suspicious file name is detected, the offending attachment is renamed and a short message is added to the mail-
WARNING: This e-mail has been altered.
Following this paragraph are indications of the actual changes made.
For more information about BAS’s MIMEDefang policy, see
For further help please contact :
British Antarctic Survey ITS Help Desk <helpdesk@nerc-bas.ac.uk>.
An attachment named ‘message.exe’ was converted to ‘defang-1.binary’.
To recover the file, right-click on the attachment and Save As ‘message.exe’
SPAM (unsolicited email)
Because of possible arguments (mentioned above) on what is unsolicited email as opposed to a newsletter, we have adopted a much more cautious approach here than with viruses. In general, we only flag messages as probable SPAM by adding the string {SPAM?} to the beginning of the Subject. End-users can then set up their email software (eg Groupwise) to save flagged messages in a SPAM folder (where they can be checked at a later time or, if they prefer, discarded. The point is that the end-users have the option.
The main tool which we use to identify SPAM messages is a package called SpamAssassin. This uses a wide range of heuristic tests on both the headers and the body of the message. For details of these, look at SpamAssassin. This not just a list of naughty words ; it is much more sophisticated that that. SPAM messages often have a characteristic style and attempt to fool you into replying by means of disclaimer paragraphs and similar tricks. SpamAssassin attempts to spot these.
If the total score after running all the tests is above a threshold, the message is considered as probable SPAM and the flag string is added to the Subject.
In addition to all this analysis of the message content, we have several lists of mail domains. These are black lists (bad sites)
MAPS RBL+ UKERNA has subscribed to certain services of the Mail Abuse Prevention System (MAPS) on behalf of all JANET customer organizations (In practice, anyone within the ac.uk domain). This is known as the JANET RBL+ (RBL = Real time Black hole List). Essentially, this is a database of addresses from which SPAM email is known to have originated. It includes –
- sources of unsolicited bulk emails
- address blocks (eg belonging to ISPs) which have a history of exploits by SPAMMERS
- open mail relays, insecure systems which are a major route for SPAM delivery.
- Known dial-up lines (ie people by-passing a proper mail server.)
Messages coming from addresses in the MAPS RBL+ will be blocked. This amounts to around 9% of all incoming messages.