Spam is the practice of sending unwanted email messages, in large quantities, to an indiscriminate set of recipients. Some spam can also include malware or viruses that are loaded onto your computer without your knowledge.

UCT manages spam for all email addresses by using Mimecast, which holds onto suspected spam messages so that you can review them and either block or allow them into your mailbox. Office 365 offers online spam protection for addresses.

How does UCT manage spam?

Within seconds of being received by the UCT mail gateways, email messages pass through several security checks before being delivered to your mailbox. This is to prevent as much spam as possible from coming into the organisation.

UCT must deal aggressively with spam because higher education institutions are now one of the most spammed sectors in the world. However, sometimes these aggressive spam controls prevent legitimate messages from getting through to your mailbox. There are many reasons that this happens, but to help you retrieve those messages UCT has enlisted the services of the Mimecast online email management tool for all UCT email addresses. The Mimecast service is only available for email addresses (i.e. UCT staff, third parties and postgraduate students).

Can I decide what is and isn't spam?

If the Mimecast tool suspects that a message is spam, instead of removing it from the system, you will receive an email telling you that a message has been placed in the Mimecast On Hold queue. This gives you the opportunity to either Release, Block or Permit the message.

  • Release: allows the message to be delivered to your mailbox, but does not automatically allow any other messages from the same sender to reach you.
  • Block: rejects the message and blocks this sender from sending emails to you in future.
  • Permit: delivers the message to your mailbox and you allows this sender to email you in future.

You will only receive an email if there are spam messages in your Personal On Hold queue. Hopefully over time you will receive less and less spam as the system "learns" what you do and don't allow through.

Spam filtering at UCT

In addition, UCT also put the following methods in place to try and combat this scourge.

Phase 1:
Inbound Lockout
Spoof attempts are blocked, i.e. where legitimate UCT email addresses are impersonated by non-UCT users. In this way, if a spammer falsifies their sending address to masquerade as an internal domain address, the email will be rejected.
Phase 2 and 3.
Blocked Senders
This phase restricts messages to or from specific email addresses or domains.
Phase 4 and 5:
Permitted Senders
All spam checks (reputation-based and content-based), except anti-virus checks, are bypassed. If an email address or domain is in both the Permitted Senders and Block Senders phases, the Blocked Senders phase will be applied first and the email will be rejected.
Phase 6:
Auto Allow
When an internal user sends an outbound email, the system captures the recipient's email address and adds it to a database known as Auto Allow. When the same recipient sends an inbound email to a UCT user, the recipient's email address is checked against the Auto Allow database and if a match is found, the inbound email will be allowed through without applying additional spam reputation checks and content checks - similar to a Permitted Sender - although virus checks are still applied.
Phase 7:
IP Reputation Checks
Real-time Blackhole List (RBL), which contains the IP addresses of known malware senders is applied.
Other IP reputation check functions as a global network outbreak detection system, both known and unknown. This reputation service temporarily defers connections if they are suspected to have a bad reputation.
Phase 8:
Compliance checks are applied to the sender's mail server for all connections not previously seen by the system. It returns a busy signal, which prompts the sending server to retry the email delivery after 1 minute. If the sender's mail server retries the connection, the email is processed. If the email is not retried within 12 hours, the email connection is dropped and rejected.
Phase 9:
Recipient Validation
Prevent inbound emails with invalid recipient addresses.
Phase 10:
Emails moved to the scanners
  1. Spam scanning: Multiple content-based, heuristic scanning engines are used. These engines examine the content of emails and look for key phrases and other identifiers commonly used by spammers. These include content-matching rules and DNS-based, checksum-based and statistical filtering definitions. Depending on the policy configured, if a match is found, the email is held for review.
  2. Virus scanning: Malware protection software combined with intelligence gathered from millions of commercial and freeware users is employed (this includes signature and heuristic detection technologies).
Phase 11: Attachment scanning Attachment Policies are configured to look for certain attachment types and sizes. UCT blocks a number of attachments that are considered dangerous as they may contain malicious content such as viruses etc.