How CSLab currently does email anti-spam stuff
February 25, 2007
The Computer Science department is strongly against rejecting email just because it might be spam (at least by default); enough people would rather sort through spam than risk rejecting legitimate email. People are willing to have known viruses removed from their email (although not executables in general).
(For clarity: the weekly spam summaries I do are not for CSLab's mail system.)
I once summarized CSLab's general rule is 'thou shalt not reject email just because it smells bad'. We can reject email that has narrow technical failings such as nonexistent origin address domains, and do things that don't cause any problems with legitimate mailers but get spammers to give up. We can't reject on stuff that isn't a clear technical failing, and we can't do anything that causes problems for legitimate mailers.
All external email goes through a frontend machine running Exim 4. This machine does the following spam-related things:
After all this the email message is delivered to our central email
machine for actual processing and delivery and so on. We don't do
anything special with messages tagged as spam; each person gets to
decide for themselves how they want to handle such emails, whether
that is to filter them on the server with
For an organization that doesn't want to reject email outright, I think that this sort of tagging is a big win; it makes things visible and it makes it easy for all sorts of clients to filter things. You need a reliable spam filter that doesn't need training, though.
We use Sophos PureMessage because the university has a site-wide license for it, so it doesn't cost us anything, and the central campus email system uses it and likes it. In my experience it does a good but not perfect job at recognizing spam, and I've only gotten a few reports of false positives. (And Sophos maintains the spam and virus filtering rules instead of us.)
Things we don't do (that sometimes surprise people):
Exim does reject some badly formed
* * *
Atom feeds are available; see the bottom of most pages.