CIT Has Installed Anti-Spam Enhancements to E-Mail

Do you think that you have been getting less spam recently? It isn't your imagination; you have been getting less spam since CIT installed the NIH anti-spam service in front of the NIH Central Email Service (CES). CIT’s CES staff spent several months evaluating various options, selected IronPort Systems in January 2004 as the best solution for NIH, began a pilot project in February, and by April 15 had the IronPort solution in production.

The NIH anti-spam service quarantines spam before it reaches the e-mail system, so it never enters e-mail servers or reaches users. This frees up network resources for work related to NIH’s mission and saves everyone the time spent coping with spam. (Spam is described on the CIT anti-spam web page.)

Already spam has been drastically reduced. One NIH Webmaster, who was the unfortunate recipient of 30-to-40 spams a day, noticed that the flow had stopped almost immediately. On a recent day CES blocked over 600,000 connections from known spammers. The anti-spam service then removed an additional 70,000 (10% of incoming e-mails), as they were positively identified as spam, thus saving NIH staff the time to delete them. Processing spam can reach an estimated $4 billion a year in lost productivity according to the Yankee Group, a global networking research and consulting firm.

How the NIH Anti-Spam Service Works

Three IronPort C60 hardware appliances sit in front of the NIH mail servers. With an average of 300,000 e-mail messages per appliance, the anti-spam detection software (Brightmail) on the appliances is searching almost a million e-mail messages a day.

•	SMTP Throttling and Blocking—Ironport appliances can throttle (rate limit) or outright block inbound e-mail flow based upon the SenderBase [www.senderbase.org] reputation score or manual configuration. Hosts with bad scores are automatically throttled, as are abusive and 100% spam domains.
•	E-mail with a signature—Brightmail scans all e-mail with "signatures" created from known spam. This technology works very similarly to anti-virus signatures in that there must be a positive match for the e-mail to be identified as spam. This prevents spam being delivered to you. Brightmail has an extremely low false positive rate—less than 0.1% of legitimate e-mail is quarantined.
•	E-mail without a signature—Brightmail uses additional "heuristic" scans (of headers, body, html, hyperlinks) to catch more spam that doesn't yet match a signature, but which could be spam. E-mail that triggers the heuristic scan receives a tag "Potential Spam:" in the subject line, and is delivered to your Outlook inbox. For example, an e-mail with the subject line "You win $l billion!" will become "Potential SPAM: You win $l billion!" This will not prevent any e-mail from being delivered.
•	Spam that gets through—E-mail—that actually is spam but gets through to your Outlook inbox—can be forwarded to Brightmail, which uses your feedback to improve the ability of the system to curb spam without affecting the flow of legitimate e-mail. See the next section.

How the anti-spam service works

You Can Help By Reporting Spam

CIT provides a mechanism—via a special "menu bar" in Outlook—that allows you to report spam that gets through or legitimate e-mail flagged as potential spam. Details are available on CIT's anti-spam web site. Included are instructions for the two necessary steps:

1)     creating an Outlook "rule" for processing spam, and
2)     downloading a Brightmail plug-in that puts the spam menu bar in Outlook.

Please follow the instructions carefully.

The plug-in can only be used for Microsoft Windows and Outlook (2000 or later). If you are not an Outlook user or have a Macintosh, you will find instructions for reporting spam on the web page under "How do I report e-mail?"

You should also understand the kinds of e-mail to report and not report.

•       E-mail to Report—and NOT Report

You should only report e-mail—if it matches one of the following criteria:

• e-mail incorrectly labeled as spam or "Potential Spam:"

• e-mail that should have been labeled as spam but wasn't

• e-mail with federally-prohibited subject matter (inappropriate or illegal)
  See the description on-line [http://antispam.nih.gov/inappropriate.htm].

Do NOT report e-mail—if it is:

• e-mail that is in fact spam but comes tagged in the subject as "Potential Spam:"
  It has already been processed by Brightmail. Just delete it.

To keep "Potential Spam:" e-mail from showing up in your inbox, create a rule in Outlook. Instructions are on the anti-spam web site.

•       Outlook Menu Bar for Reporting

After you have installed the Brightmail plug-in (and rebooted your computer), you will see a special menu bar in Outlook:

Only one of the buttons is active at any one time. Each button has a different function:

This is Spam	Use this button for e-mail in your INBOX—NOT in the "Spam" folder. Pressing this button will package the spam inside another e-mail to Brightmail, which will use it to create new spam signatures.
This is not Spam	Use this button ONLY for e-mail in the "SPAM" FOLDER. Pressing this button will package the e-mail inside another e-mail to Brightmail, which will use it to revise current detection mechanisms.




After using either button, you will get this dialog box, and a message will be sent to your "Sent Items" folder.

>




Empty Spam Folder

This button will move all e-mail in the "Spam" folder to your "Deleted Items" folder. You do not have to be in your "Deleted Items" folder to do this.

More Information

If you have questions, call the NIH Help Desk at 301-496-4357. Or send e-mail to helpdesk@nih.gov.