MailScanner FAQ

The new mailscanner system (Virus and Spam tagging and filtering)

The CS department has installed servers to scan all mail that comes into the department for viruses and spam. They will quarantine all viruses or malicious files that are detected in incoming Email, and add headers to messages indicating the probability that that message is spam.

If a virus is detected in your Email

Prohibited file types

Recovering attachments removed by the virus scanner

Avoiding quarantine
Filtering out virus-tagged Email

Using the new spam tagging features

If a virus is detected in your email

If a virus is identified in an Email message, it will be quarantined. That is, the infected content or attachment is removed from the message. A brief message is inserted into the Email in its place explaining what happened and how to recover the attachment if necessary, and the message is delivered to the user normally, without the malicious content.

Messages that have been tagged as having malicious content viruses also have a header inserted:

X-CSD-MailScanner: Found to be infected

...this header can be used to filter out infected messages with procmail, MS Outlook, or other mail filtering software. See below for more details on filtering these messages.

The mailscanner will also insert one of the following warnings into the subject of the message, indicating that suspicious content was found:

{Virus?}	A virus was found and removed by the virus scanner
{Dangerous Content?}	Dangerous Object Codebase tag HTML was found by the virus scanner
{Filename?}	A prohibited type of file attachment was found and removed

What are the prohibited file types?

Certain types of attachments that are commonly used to deliver viruses or other malicious content are automatically removed from email messages. The types automatically removed are:

.scr
Windows Screen Saver

.bat
Windows Batch File

.com
Windows Command File

.reg
Windows Registry File

.cpl
Windows Control Panel File

.pif
MS-Dos program shortcut

.wsc .wsf .wsh
Windows Scripting Extensions

.vbe .vbs
Visual Basic Scripting Extensions

Recovering attachments removed by the virus scanner

When a virus has been removed from your message it is replaced with a message that states where it has been quarantined. Simply send that information to staff@cs.umd.edu and we will get you the copy of the attachment.

Avoiding having your messages quarantined

If you must send or receive one of the prohibited types of files, we recommend compressing it into a .ZIP, .tar, or other archive format before transmitting the file. It can then pass safely through the virus scanner and be extracted by the recipient.

Filtering out virus-tagged Email

Here is an example of a .procmailrc rule you can use to filter virus-tagged email using procmail. For more details on procmail usage, click here

:0 * ^X-CSD-MailScanner: Found to be infected Mail/virus

Using the new spam tagging features

The new mail scanners will also scan all messages and score them for the likelihood that they are spam. You can use these scores instead of or in addition to your own local spam blocking software, or not at all. The simplest way to use the new spam tagging feature is to filter out messages with this header inserted:

X-CSD-MailScanner-SpamCheck: spam

Here is an example of a .procmailrc rule that will allow you to do this:

:0 * ^X-CSD-MailScanner-SpamCheck: spam Mail/spam

If you are also running your own local instance of spamassassin, we recommend ordering your rules as follows to minimize the CPU load on your machine. This removes already-tagged viruses and spam before they are reprocessed with spamassassin:

## ## Remove messages that the mailscanner tagged ## as viruses ## :0 * ^X-CSD-MailScanner: Found to be infected Mail/virus ## ## Remove messages that the mailscanner tagged ## as spam ## :0 * ^X-CSD-MailScanner-SpamCheck: spam Mail/spam ## ## Tag with local spamassassin ## :0fw | /usr/local/bin/spamassassin ## ## Remove messages that spamassassin tagged ## as spam ## :0 * ^X-Spam-Status: Yes Mail/spam

There is also a spam score header that looks like this:

X-CSD-MailScanner-SpamScore: sssssssssssssssss

The significance of this header is that the number of 's's reflects the magnitude of the likelihood that this message is spam. spamassassin traditionally considers anything with a score of five or more to be spam. If you like, you can filter messages with a custom score using this header.

For example, if you wanted to filter anything with a score of seven or more, you could use this procmail rule:

:0 * ^X-CSD-MailScanner-SpamScore:\ sssssss Mail/spam

Or if you wanted to filter anything with a score of three or more, you could use this rule:

:0 * ^X-CSD-MailScanner-SpamScore:\ sss Mail/spam

.scr	Windows Screen Saver
.bat	Windows Batch File
.com	Windows Command File
.reg	Windows Registry File
.cpl	Windows Control Panel File
.pif	MS-Dos program shortcut
.wsc .wsf .wsh	Windows Scripting Extensions
.vbe .vbs	Visual Basic Scripting Extensions