Help Desk

• Help Desk Home
• FAQs
• uNID Account Tools
• UMail - Campus Email
• Password Information
• Service Level Agreements
• Customer Service Survey
• Contact Information
• Services Home
• OIT Home

FAQs: Email Spam & Filters

What is Spam?
What is UCE?
How did they get my email address?
Why can't the Campus UMail server just delete this stuff for my 'utah.edu' email account?
How are messages classified as UCE by the campus UMail server?
Will genuine messages coming to my 'utah.edu' address get lost by mistake?
What can I do to stop getting spam?
How do I set up a filter or a rule?
What does "421 machines not registered with their own name server not allow in" mean?

 

What is Spam?

Spam (all lowercase letters - not to be confused with SPAM, the Hormel canned meat product) is any message that is posted an unacceptable number of times to one or more groups or Email lists. The term has incorrectly become associated with any unwanted Email such as ads. The appropriate term for unwanted ads is Unsolicited Commercial Email (UCE).

What is UCE?

UCE stands for Unsolicited Commercial Email. UCE is any email that you didn't request recieve that solicits goods or services. For example, an Email that tries to attract you to a particular web site. Sometimes the word spam is incorrectly associated with this type of Email. The appropriate term for unwanted Email ads is Unsolicited Commercial Email (UCE).

How did they get my email address?

And who are they, anyway? In this context, "they" refers to any individual or group who sends UCE. Email addresses are acquired through a number of sources. Remember that on-line sweepstakes you entered to win a new car? One of the fields you filled out was for your email address. The group running the sweepstakes probably collected all the registrants email addresses and then sold them to anyone willing to pay. Another technique is to search any and all web pages for email addresses. In today's world, information about us is marketing gold and some groups will do whatever it takes to get that information. The real question is what can be done to minimize the sources of this information.

Review Privacy Policies and Statements

Because of the current backlash of ill-will about the buying and selling of personal data, many companies have opted not to participate in this practice. (However, they still collect personal data.) To assure the public about the intended use of the data they collect, many companies have statements about their privacy policies. Before you give a company personal information, you should review their privacy policy with regards to that information and how it will be used.

Don't Allow your Email Address to be Given Out

Many web pages that collect personal information (free email account sign-up pages, on-line shopping sites, etc.) have check boxes that give permission to the company collecting the information to make it available to other companies. By default, these are often set to allow the distribution of information. Make sure you select the option to not allow distribution (usually by unchecking the allow box).

Don't Put your Email Address on a Web Page

During the late 1990's, it was all the rage to create personal web pages. That time reflected a naive and childlike period on the Internet. Many of us included all kinds of personal information, including our email addresses, on our web pages. Some people quickly realized the wealth of information available through the web and wrote programs to scan web pages for email addresses. (These programs are sometimes referred to as web crawlers, spyders, or web-bots.) To avoid having your email address harvested by a web-bot, don't put it on a web page. If you feel you must put your address on a web page, consider creating a graphic image of it (and don't use a mailto link).

Don't Give out Your Email Address

This may seem like a no-brainer, but many sites require this piece of information to register or use the site. So what can you do? Several companies offer free email. Consider creating an email account you use specifically for times when you don't want to give out your main email address. Or, use a bogus address. The program collecting the information doesn't know if the address you've entered is correct or not. It only checks to see if it follows the rules: name@host.domain. Be careful if you do this. If you're requesting information (such as a forgotten password) from a company and they typically contact you via email and if you give a bogus address, how will you get the information?

Why can't the Campus UMail server just delete this stuff for my 'utah.edu' Email account?

In general, OIT only blocks email when there is great probability that the incoming message is harmful to the University's computing and networking systems. Viruses and worms fall into this category. If OIT were to block messages more aggressively, it is possible that legitimate messages would be filtered out.

It's important to recognize that the problem of unsolicited commercial email has no perfect solution, be it technological or legal. The University and OIT must take actions that serve the interests of faculty, staff, and students, while preserving the openness that is essential for an academic institution.

You should regularly inspect your spam folder to identify any messages that you don't consider spam.

How are messages classified as UCE by the campus UMail server?

The spam flagging is done by a set of heuristics that rates the contents of each message based on typical spam contents and appearance. For details about how the flagging engine works, see the SpamAssassin web site. SpamAssassin also "learns" the characteristics of new types of spam messages over time.

Will genuine messages coming to my 'utah.edu' address get lost by mistake?

Tests indicate that with the filters' sensitivity set to detect about 80% of the incoming spam, there should be very few, or even no, cases where genuine mail is mis-identified as spam. However, the system will be monitored carefully, and if you believe that you're not getting mail that you expect, you should contact OIT Systems by calling the Campus Help Desk at 581-4000.

It does sometimes happen that our mail servers refuse a genuine message from a legitimate source. This means that the machine trying to send the message has been seen in the past to deliver spam, and its administrators need to take action to secure it. The error report that goes back to the sender explains this, and it's up to the sending side to fix their problem.

What can i do to stop getting spam?

The reality is that its very difficult to stop UCE. The most common approach is to block it. There are two basic methods of doing this: server-side blocking and client-side blocking. Server-side blocking is done on the computer that hosts the mail service and can block messages based on either the origination site address (using a "black list" of offending sites) or scan the message for possibly offensive content, keywords, or phrases (XXX, make lots of money, etc). Either of these methods has the undesirable affect of occasionally blocking legitimate messages.

Client-side blocking blocks messages by using filters, rules, or other tools within the client email reader program. When a UCE is received, a filter can be created using the from email address and a rule to immediately move the message to the trash. One disadvantage to client-side blocking is that to block all possible UCEs, you would need 1000's of rules which can totally crush the performance of your computer. With that in mind, below are some instructions to create filters and rules for the more common email clients.

How do I set up a filter or a rule?

Client-side filtering processes messages by using filters, rules, or other tools within the client email reader program. When a UCE is received, a filter can be created using the from email address and a rule to immediately move the message to the trash. Some clients have additional technology built in to help determine if a message is UCE. One disadvantage to client side blocking is that you can have thousands of rules which can totally crush the performance of your computer. With that said, here are instructions to create filters and rules in some of the popular email clients. Please note the special instructions for 'utah.edu' email account holders.

• Outlook Express
• Outlook 2003
• Outlook 2002
• Eudora 6.0 For Mac Classic OS
• Eudora 6.0 for Mac OS X
• Microsoft Office X Entourage
• Outlook Express 5 for Macintosh Classic OS
• GroupWise 6.5 Local Client
• GroupWise WebAccess
  

What does "421 machines not registered with their own name server not allow in" mean?

In order to block access to the U of U facilities to domains that have caused us problems in the past, we do a lookup of each TCP/IP address that connects to us, and verify that they are not one of the bad guys. If the address is in a bad domain, or if the domain can not be determined, we block access to the domain.

The lookup done is (as is true for most modern security packages) to check DNS for the PTR record for the address. If that maps to a name that maps back to at least the number then we are sure that we've correctly identified the domain.

If your address doesn't appear to have a PTR record, software has no way to mechanically determine it is part of your domain instead of some known hacker domain. Therefore we don't let it in. (Note also that having no name is going to cause it other problems. Sendmail 8.9.x, for example, won't accept mail from it...)

Note that the name of the machine need not be anything more than, for example, line128.domain.com. Our software, like other similar software, only requires we can identify the domain, it does not require anything more of the name.

If you have any questions, feel free to have your DNS administrator contact us for further details.

Specific 421 Errors and What They Really Mean

The dreaded "421" messages for failed connections have been changed as follows (the %-thingies represent inserted variable information):

421 DNS information Currently Unavailable for your Machine %h
421 DNS information Inconsistent for your Machine %h

Contact the DNS dude at your Internet Service Provider (ISP) (not necessarily us!). If you get the above abominable "421" messages, you might not be able to actually do anything about it (at least not by yourself)!

Some ISPs have majorly misconfigured dialup modems (DNS-wise). The best that an ISP customer can likely do is complain to their ISP to get things set right there ...the %h information in the "421" message is useful information for the ISP.

Most dialup users (ours or other's) just inherit the IP addresses associated with their ISP's dialup modems (as well as any attendant problems associated with those IP addresses). In such cases, the problem lies not with the user's machine itself but with the IP addresses associated with the ISP's dialup modems.

Also note that the above 421 messages can be generated in some cases where the requisite DNS is currently unavailable (off-line, network connectivity problems, etc.); these cannot be accurately distinquished from cases where there is true DNS non-registration (but such problems should be transient).

If the 421 message reports "inconsistent", then both the reverse (number to name) and forward (name to number) DNS lookups actually succeeded (i.e. the requisite DNS(s -- there may be two of them required here!) are currently available but the returned information is inconsistent); however, the name associated with the number is not the number associated with that name. This might possibly represent an attempt to spoof an IP address but more likely just represents somebody's failure to completely update the DNS information for a machine with a changed IP address. In these cases, %h might represent the host's name rather than its IP address. You are warned!

421 Service refused for %c

%c [user@]host is a person who has violated our internet use policies and has had their internet access through us disabled-- ALL connections are refused!

421 You are already there, %u

Attempt by a user (%u) to connect from a frontend machine to a frontend machine -- this is not necessarily wrong but it's useless and likely represents some misunderstanding.

Note: All frontend machines (u.cc.utah.edu) are equivalent -- nothing useful can be gained by connecting from one to another (it's like `telnet'ing to the machine that you're running `telnet' on -- and when unrestricted it just makes internal connections that users find difficult to get rid of!).

421 Service unavailable for %c

The requested service is not currently provided ...

421 Service denied for %c

This typically shouldn't occur, but if it does it may represent a failure of the tcp hosts.allow wrappers -- contact someone in the systems group to find out what might have gone wrong.

Note: The operative text here is "denied" -- the text "refused" and/or "unavailable" just represent the normal operation of the wrappers!

There are also other "421" messages, but these are NOT generated by the current tcp wrappers (and are not listed here) -- something else is wrong.

For More

Product and Service Information

More Frequently Asked Questions

For questions or problems, please contact the Help Desk at 581-4000 option 1.