What spam filters do you use?
Our e-mail servers can reject messages that are likely to be unwanted junk mail, or "spam". We currently reject an average of about 100 messages per day per customer.
So how do our mail servers decide which messages are spam? We use several different methods:
- Restrictions applied to all mail
- Allowing messages from within our network
- Manual whitelisting and blacklisting
- Automatic whitelisting
- Extra checks performed by "Low Spam Filtering"
- Extra checks performed by "High Spam Filtering"
- How accurate is the spam filter?
Restrictions applied to all mail
First of all, we use a set of rules to reject mail from certain extremely abusive senders. The rules reject:
- Mail from spammers who have sent spam to us or to a customer of ours who has complained; and
- Some common viruses that have consistent "From" addresses, subjects, or links in their messages.
This first step is applied to all messages, regardless of whether you have the spam filter turned on. It should block only blatant spammers and other senders of extremely abusive e-mail, and should never incorrectly block any legitimate messages. Our statistics indicate that fewer than one message per million is rejected in error by these rules, and in those cases, the sender will receive a message indicating why the message was blocked, allowing them to change their message and resend it.
Next, we pass all incoming mail through an anti-virus scanner. Any messages containing viruses are not delivered, although we keep copies of such messages for one week in case we receive a report of the virus scanner incorrectly discarding a message.
Allowing messages from within our network
Next, we check if the message is coming from our own network — that is, whether it's from one of our own customers. If it is, we automatically allow it. This ensures that messages our customers send to each other are never blocked.
Manual whitelisting and blacklisting
The next check is manual whitelisting and blacklisting.
You can use our control panel to "whitelist" (accept all mail from) or "blacklist" (reject all mail from) certain senders. To add custom rules:
- Login to the “My Account” control panel (having trouble?)
- Click E-Mail Options
- Scroll down the page to the "Blacklist and Whitelist" instructions.
If you've added the sender to your manual whitelist, the message will be accepted for delivery at this stage. If it's not on the manual whitelist, but you've added the sender to your manual blacklist, the message will be rejected.
We check the whitelist first so you can enter specific whitelist rules that override blacklist rules. For example, if you enter "firstname.lastname@example.org" in the whitelist and "example.com" in the blacklist, you can receive mail from email@example.com while blocking everyone else at example.com.
If the sender isn't in your whitelist or blacklist, the spam filter settings for the e-mail address are checked. If you have the spam filter turned "Off", the message will be delivered to your mailbox at this point. If you have the spam filter set to "Low" or "High", the message is next checked to see if it should be automatically whitelisted.
The next check is automatic whitelisting.
If you've written to the sender within the last year, a return message from that address will be automatically allowed without further spam checking.
So when you write to someone, you don't need to worry about spam blocking. Nothing that person later sends you will be blocked, even if our spam filters would otherwise think the message is spam.
(There's one exception: Messages won't be automatically whitelisted if an SPF check, described in the next section, suggests that the message is using a forged sender address. It wouldn't make sense to whitelist all forged messages claiming to be from "paypal.com" just because you're a PayPal customer who has written to that address.)
We also automatically whitelist messages from several sources we trust (mostly large companies and ISPs), as well as trusted senders identified by the Spamhaus Whitelist.
Extra checks performed by "Low Spam Filtering"
The next checks involve your spam filter setting.
"Low Spam Filtering" will:
- Block a message if our filters think it's spam for two or more independent reasons; or
- Delay a message if our filters think it's spam for one reason.
In detail, the "Low Spam Filtering" check uses SPF, greylisting, blacklist checking, and SpamAssassin scores based on the content of the message.
SPF allows our servers to ask the sending domain name for a list of mail servers that are authorized to send mail. For example, if we receive a message claiming to be from "firstname.lastname@example.org" (an address that's frequently used in "phishing" spam), we check to see if chase.com agrees that the sending mail server is authorized to use the chase.com address. If they say the sending mail server is never authorized, or is probably not authorized, our servers will consider it "suspicious" in the next step, greylisting.
Greylisting is a method for delaying "suspicious" mail. When our servers receive suspicious mail from a first-time sender, we reply with a standard e-mail error code meaning "we can't accept this message now, but try again later". Our servers can consider messages "suspicious" if the SPF result seems dubious, or if the sending server is on a spam blacklist, or if the sending server looks like it might be a virus-infected personal computer.
When spammers receive a "try again later" error, they rarely try again (they have special software that tries once and gives up), so you usually won't receive their spam. However, in the few cases where the "suspicious" mail wasn't spam, the sending mail server is required by Internet mail standards to redeliver the message (usually a few minutes later), and our servers will then accept it.
Greylisting works very well, eliminating more than 80% of spam. The drawback is that the very first time someone writes to you, there is a small chance that the message will be delayed for a few minutes because it looks "suspicious". However, no legitimate mail should ever be lost.
We also check whether the domain name appears on certain blacklists, described in more detail in the next section. We reject the message if it appears on certain combinations of multiple blacklists run by independent organizations.
Checking for combinations makes "false positives" (incorrect rejections of messages that aren't really spam) extremely unlikely for this rule — in fact, we've never had one reported. The chances that two or more independent organizations have both made the same mistake and incorrectly listed someone as a spammer are very low.
Finally, we check the SpamAssassin score of the message, blocking it if the score is higher than 21 (which is an extremely high score: we've never seen a message with a score this high that isn't blatant spam).
If you have the spam filter set to "Low Spam Filtering", the message is delivered if it passes these checks. If the spam filter is set to "High", further checks are performed.
Extra checks performed by "High Spam Filtering"
"High Spam Filtering" can block a message that appears to be spam based on just a single reason, as long as we think that reason is extremely reliable.
The first "High Spam Filtering" check is to block mail with "From" addresses that aren't real e-mail addresses, such as addresses at domain names that don't actually exist. This filter blocks some spam, as spammers often use fake addresses.
Secondly, "High Spam Filtering" rejects messages from computers appearing on certain "spam blacklists" that are run by other organizations. These blacklists include:
- mail servers run by known spam companies;
- mail servers that are misconfigured to allow spammers to send unlimited amounts of mail through them; and
- computers that should not be directly sending mail without using their ISP's mail server (these are usually personal computers that have been hijacked by spammers).
In contrast to "Low Spam Filtering", "High Spam Filtering" will sometimes block messages from servers listed on a single blacklist that we consider extremely reliable, so it catches significantly more spam with only a slightly higher risk of "false positives".
The only blacklist we currently use that can reject mail for this reason alone is:
Blacklists that are used in combination with other factors are:
- black.uribl.com and red.uribl.com
- UCEProtect level 1
- Barracuda Reputation Block List
- invaluement Anti-Spam DNSBL
We change the blacklists from time to time as we attempt to keep ahead of spammers while ensuring that little-to-no legitimate mail is rejected.
If the SPF record says the sending server is never authorized to send mail for this domain name, that's treated as being equivalent to a "combination factor" blacklist entry.
Finally, we check the SpamAssassin score of the message, blocking it if the score is higher than 14. This is still a very high score with almost no risk of false positives.
How accurate is the spam filter?
If mail sent to you matches any of the spam filter checks, the chances are extremely high that it's unwanted spam. We're confident enough of this that our staff use "High Spam Filtering" for all our own mailboxes.
However, you should keep in mind that although such a message is almost certainly spam, we can't guarantee it. For example, one of your friends may have misconfigured his mail program to use an invalid "From" address, or he may have signed up with an ISP that has misconfigured their servers to allow spammers to send messages through their network. Such situations can lead to incorrect blocking. (If incorrect blocking does happen, the person writing to you will receive an error message saying why the message can't be delivered; the message won't just vanish.)
If you're concerned about missing any mail, you may wish to set the spam filter to "High Spam Filtering" for any addresses you list in a public place where a spammer could find them (such as on your Web page), and set the spam filter to "Low Spam Filtering" (or even "Off") for private addresses you give only to friends and business associates.