Fritz-Haber-Institut der Max-Planck-Gesellschaft

PP&B

  AC CP MP PC TH  MPG

Search

Support Request

PPBWiki

more

Quick Links

PP&B

General Overview of the PureMessage system

Sophos PureMessage is a complete solution for controlling the flow of email into and out of the FHI - network. It is responsible for filtering spam and virus-infected email messages entering or leaving the FHI - network, as well as enforcing other email-related policies.

PureMessage uses the Sophos Anti-Virus engine to scan messages for viruses, and uses a number of spam-detection methods to rate a message with a spam probability between 0% and 100%. Mail administrators then have the option of taking some sort of action on virus-infected email and messages that are rated with a certain spam probability.

The PureMessage system automatically checks Sophos servers for virus and spam definition updates once an hour, and if new definitions are available, they are immediately downloaded and installed. This allows the PureMessage system to automate the update procedure and catch new viruses and spam campaigns more quickly and efficiently.

PureMessage utilizes the concept of quarantining, meaning that if a message fits into a specific category, it can be stored in a holding area (called the “quarantine”) and not delivered to the intended recipient. PureMessage then provides mechanisms for users to access such quarantined messages that will be described later in this document.

The PP&B Implementation of PureMessage

Policy

In the PP&B environment, PureMessage works in the following way:

1. A message arrives in the PureMessage system. A header similar to the one below is added to the message to indicate that it has been processed by PureMessage:

X-PMX-Version: 4.7.0.111621, Antispam-Engine: 2.0.2.0, Antispam-Data: 2005.1.10.24

Note that the header should contain the version of the PureMessage software that processed the message, the version of the Antispam engine that processed the message, and the version of the antispam data definitions that were used during the scanning of the message. This information can be useful to your mail administrators in tracking down any issues that might come up.

2. The message is virus-scanned. If it contains a virus, it is rejected with the message “One or more viruses (VIRUS_NAME) were detected in the message.” where “VIRUS_NAME” is the name(s) of the virus(es) that were detected in the message. Whoever sent the infected email will then receive a bounce message indicating that the message was rejected by the FHI mail server and will contain the above message indicating why this has happened.

3. The message is then checked for suspicious attachments. If it contains such an attachment, the message is quarantined for reason “Suspect”. Below is a list of the types of files that are considered suspicious.

 pmx_suspect_attachment (part 1.2): extensions:
 .htm, .html, .jfi, .jfif, .jif, .jpe, .jpeg, .jpg, .js, .pdf, .png, .tif, .tiff, .xht, .xhtml,   .xml, .zip
 pmx_suspect_attachment (part 1.2): mime types: 
 application/octet-stream, application/pdf, application/xml, application/zip, image/jpeg, image/png, image/tiff, text/html, text/xml

 TObeDone-> ade, adp, crt, email, exe, hlp, hta, inf, ins, js, jse, bas, lnk, msc, msi, mst, ocx, pcd, pif, reg, scr, sct, bat, shb, shs, url, vb, vbs, vbe, wsf, wsh, wsc, ???.exe, chm, ???.lnk, ???.pif, cla, class, cmd, com, cpl

4. It is then checked if the message is from a whitelisted host or sender. There are the following types of whitelists: Hosts: This is a global list of IP addresses and domain names of trusted networks whose incoming messages should always be allowed through without spam-checking. It applies to all incoming email and is populated and maintained by your mail administrator. Questions or requests regarding this list should therefore be directed to them.

Senders: This is a global list of email addresses of trusted senders whose incoming messages should always be allowed without spam-checking. It applies to all incoming email and is populated and maintained by your mail administrator. Questions or requests regarding this list should therefore be directed to them.

Senders-per-user: Every user has their own list of trusted senders whose incoming messages should always be allowed through without spam-checking. Each of these lists is tied to a specific email address, and will only affect email destined for that email address. They are populated and maintained by end-users via the End-User Web Interface.

If the sender or host that sent the message is in any of the above lists, the message is considered “whitelisted” and is delivered immediately without spam-checking.

5. It is then checked if the message is destined for an address which is on the anti-spam opt-out list. This is a global list of email addresses whose owners have chosen not to have their email spam-checked. End-users can opt in or out of spam-checking via the End-User Web Interface. If the message is destined for an address which is on the anti-spam opt-out list, it is delivered immediately without spam-checking.

6. It is then checked if the message is from a blacklisted host or sender. There are the following types of blacklists:

Hosts: This is a global list of IP addresses and domain names of non-trusted networks whose incoming messages should always be quarantined for reason “Blacklisted” and not delivered. It applies to all incoming email and is populated and maintained by your mail administrator. Questions or requests regarding this list should therefore be directed to them.

Senders: This is a global list of email addresses of non-trusted senders whose incoming messages should always be quarantined for reason “Blacklisted” and not delivered. It applies to all incoming email and is populated and maintained by your mail administrator. Questions or requests regarding this list should therefore be directed to them.

Senders-per-user: Every user has their own list of non-trusted senders whose incoming messages should always be quarantined for reason “Blacklisted” and not delivered. Each of these lists is tied to a specific email address, and will only affect email destined for that email address. They are populated and maintained by end-users via the End-User Web Interface. If the sender or host that sent the message is in any of the above lists, the message is considered “blacklisted” and is quarantined for reason “Blacklisted” and not delivered.

7. The message is then spam-scanned and assigned a spam probability between 0% and 100%. Regardless of the resulting spam rating, a header similar to the one below will be added to the message to indicate spam-related information regarding that message.

X-PerlMx-Spam: Gauge=XXXXXXXXXIIIIII, Probability=96%, Report=KNOWN_HEALTH_CAMPAIGN 8, OBFU_CLASS_OTHER_LOW 2.5, DATE_IN_FUTURE_12_24 1.3, __CT 0, __CTE 0, __CTYPE_CHARSET_QUOTED 0, __CT_TEXT_PLAIN 0, __FRAUD_419_BADTHINGS 0, __HAS_MSGID 0, __MIME_VERSION 0, __SANE_MSGID 0

Note the following fields:

Gauge: A roman-numeral version of the spam probability of the message. This can be useful for users who want to perform their own filtering in their own mail client software.

Probability: This is the spam probability as a percentage.

Report: This contains each spam rule that fired and its subsequent weight. Weights are added together and then converted to the resulting spam probability. Spam rules prefixed with underscores (for example,__FRAUD_419_BADTHING) are generally sub-rules, a number of which have to fire before the parent rule will fire, resulting in a (usually) large weight being added.

For all messages that get spam-scanned, this header is ultimately useful in determining why a message was quarantined, tagged, or delivered.

8. If the message has a spam probability of 80% or greater, it is quarantined for reason “Spam” and not delivered.

9. If the message has a spam probability between 30% and 80%, the subject header is tagged in a similar manner as below, and the message is delivered.

''Original Subject: “Hello, here is a great deal!” Modified Subject: “(:cell PQA(PSS(!SPAM?:XXXXX|||||):) Hello, here is a great deal!” ''

(XGAUGE: Absolute gauge, one 'X' character for every 10% probability.) (IGAUGE: Absolute gauge, one 'I' character for every 1% after the XGAUGE level.)

10. If the spam probability is lower than 30%, the message is delivered.


Further Info:
GNZ User Info

© FHI

Edit Upload EditSideBar

Address: Fritz-Haber-Institut, Faradayweg 4-6, 14195 Berlin, Germany