Email, Spam & Undeliverable Messages

The College’s mail servers receive approximately 4 million messages a month. of which, roughly 60% are spam. It’s quite clear why scanning inbound messages for spam and viruses is desirable. These message are stopped by our scanning service and are never delivered to our servers. That’s why you need to log in to an external service to take any further action on those messages. You can configure this scanning to always deliver, or whitelist, particular addresses or domains, ie, allow everything from vassar.edu.

Plans are being made to implement outbound message scanning. The College’s servers don’t send out a huge volume of email, nor do they normally send out large amounts of spam. This might lead one to conclude that outbound scanning isn’t necessary since we’re not generating a great deal of spam, or inconveniencing a large number of non-Swarthmore email users. The problem is that most email systems, either directly or through a provider, use something called ‘reputation’ to rate mail coming into the server from outside. If you send out spam you can get added to a list of known spammers, or blacklisted. Any organization that subscribes to that list, or uses a provider that does, will refuse to accept email from a mail server that is blacklisted (See DNSBL). Repeatedly being added to blacklists will lower an institution’s reputation, making it more likely that you will be listed as a spammer in the future.

It can be difficult and time consuming to track down what service has a server blacklisted. It then takes even more time to get unlisted. The whole time this is being done email from any user on campus will be rejected by anyone that uses that service or blacklist. Different service providers have different sensitivity levels, for some it may take a large amount of spam, for other it may take fewer messages. They don’t generally publish this information since knowing this criteria would give spammers an advantage in trying to defeat it.

It is particularly damaging when a user’s real email account is compromised. This is the worst case, the spam really is coming from a valid email account on campus even though the real user may not know it. Spam that is forged (spoofed) to make it look like it comes from Swarthmore is less of a problem since it can often be detected as forged automatically. In the case where a user’s machine is infected or hacked is less of a problem, that machine would be the only one that’s blacklisted. All valid email is supposed to enter and leave campus through our mail server, so this blacklisting of a user’s machine does not affect the entire campus community, or even their own ability to send email from our servers.

In the best interest of the campus community ITS is researching solutions that can be put in place to prevent our servers from being blacklisted. Scanning of outbound messages for spam and viruses is only part of a potentially larger solution.