Table of Contents

• Trap Contents
• Blacklists/Whitelists
• Senders
• Bulk
• Preferences  
• Display
• Stream Settings
• Opt-in/out
• Spam Incident page
• Show message page
  • Spam Score

 

Trap Contents

 The One Shot, Pending, Spam, Non-Spam, and All menus all show your spam trap in the same interface. While the All menu will display all messages currently on record, the Pending, Spam and Non-Spam will show you only the messages in the trap that are pending decision, marked as spam, or marked as non-spam, respectively.  

The One Shot setting will show you messages that are identified as spam and the system hasn't ever receive a message from both the sender and the email server the message came from. A common spam tactic is for a spammer to use a system that is virus infected as a spam sending engine.  If the message is normal, usually the sending server will retransmit the message within a few hours - the message will automatically be moved from One Shot to Pending.

The fields in these displays have the following meanings:

• Date is the date and time the message was first received. Clicking on the link (the date) will open the Spam Incident page for that respective message. The Incident page has section that spam score of the message. Also, note that you cannot generate a "security incident" to the OCCS Security group from the spam incident page.
• Subject is the message subject. Clicking on this will pop up the Show Message page for the message.
• Sender is the sender as specified in the message (the FROM field). Be aware that spammers can easily fake the sender address. Clicking on the top "sender@" of the address will open the Blacklist/Whitelist Sender page.
• Score is the spam score assigned by the spam-scanning rules. The higher the score, the more spam-like the message appears. Any message scoring higher than your specified spam threshold is held in the pending trap. Also, a message may be held even if it scores lower than your spam threshold if it matches a Blacklist\Whitelist entry with the "Always hold for approval" option. If this is the case, a "Hold Reason" will appear below the score. Possible hold reasons are:
• HoldRelay You have asked the SpamTrap to always hold messages from the sending relay.
• HoldSender You have asked the SpamTrap to always hold messages from the sender.
• HoldDomain You have asked the SpamTrap to always hold messages from the sender's domain.
Status and Action shows the current status of the message, and lets you determine the fate of pending messages.
• Do Nothing - selecting this option (the default) will leave the message in the spam trap.
• Accept Message - this option will forward the message to your Inbox (usually within a short time).
• Reject Message - this option discards the message as spam.

Additional display options in the advanced interface offer the following optional two columns:

• Relay is the SMTP relay host which transmitted the message. This is somewhat harder to fake than the sender address. Note that sometimes a message can be sent from more than one SMTP relay host. If that is the case, you need to look up the incident details (described later) to get a list of all the relay hosts. Clicking on this will open the Blacklist/Whitelist Hosts page.
• Recipient is who the message is being delivered to. This will always be your address.

There are additional options for the spam trap in the advanced interface:

Specific Incident menu



Enter an Incident ID for any of your messages to see the Incident page for that specific message.

Advanced Query menu



You may use as many or as little of the fields in the Advanced Query page as you like - the more you use, the more limited your search.

To perform an advanced query:

1. Set the Status field to one of "Any", "Pending", "Spam", or "Non-Spam", depending on how you want to restrict the query.
2. Enter text in the Subject field to restrict the display to messages whose subjects contain that text.
3. Enter text in the Sender field to restrict the display to messages whose senders contain that text.
4. Enter text in the Recipient field to restrict the display to messages whose recipients contain that text.
5. Enter text in the Report field to restrict the display whose spam reports contain that text. For example, you could enter "Custom rule" to match only messages that triggered a custom rule.
6. Enter text in the Hold Reason field to match by hold reason. For example, you could enter "HoldDomain" to find messages that were held because of Domain matching rules.
7. Press Submit Query to run the query.

If you do not wish to restrict a query by a particular field, merely leave the corresponding entry box blank. Note that sender and recipient queries use the SMTP envelope sender and recipients, not the contents of the From: or To: e-mail headers. Also, sender and recipient queries may be slower than subject queries.

[Top]

---

Blacklists/Whitelists

Note: The spam trap does not have a "Blacklist" or "Whitelist" link per se - rather, you manage how email is handled from the "Rules/Lists" link and define how the spam trap treats email from various "Senders", thus giving you a black and white list capability.

Blacklists defined: A blacklist is a list that causes the SpamTrap to automatically reject messages. Most users setup blacklists for specific email addresses or domains. 

Whitelists defined: A whitelist is a list that causes the SpamTrap to automatically accept and not process a message - the message "goes through" by default, regardless of message contents.

Senders

The SpamTrap can take specific actions based on the sender's email address. To see the sender list, click on "Rules/Lists" and then "Senders". The sender page appears, as shown below.  The other links such as "Always Hold for Approval", "Hold if Looks Like Spam", and "Always Reject" only show email addresses that are set to follow these specific spam handling rules.



The allow-always, hold-always, reject or any menu items control which senders are currently displayed based on if they are always allowed, always held, always rejected, or in the table, respectively..

The columns in the table are:

• Sender - The e-mail address of a sender
• Who - The user who last modified the sender's disposition.
• Current Action - The action taken by the SpamTrap when a message from the sender arrives.
• New Action - Allows you to set a new action. The possible actions are:
• No Change - keep the current action.
• Always allow - always allow mail from this sender without scanning for spam. Note that dngerous attachments are still scanned and stripped for your protection.
• Always hold for approval - mail from this sender is always held for approval, even if spam-scanning does not flag it as spam.
• Hold if looks like spam - this is the default; mail from this sender will be held if it scores high enough on the spam scale.
• Always reject - messages from this sender are always rejected with a permanent failure code. The rejection happens early on in the SMTP dialog, before any message body is transmitted.
• Delete from Table - the sender is deleted from the table. Also, the SpamTrap treats the sender as if the setting Hold if looks like spam had been used.
• Comment Allows you to enter a comment if you like. This can help you remember why you whitelisted or blacklisted a sender.

To set new actions, adjust the New Action entries appropriately and click Submit Changes .

Entering a New Sender Action

If you want to set an action for an e-mail address that is not in the sender list, enter the address in the text box and press enter or the Go button.

Changing a Senders Action

Select your desired action for the sender entry and click Submit Changes. For example, if you have a sender that is currently set to "Always Allow" and you want to change them to "Always Reject", change the Action in the drop down list for that sender.

And the entry is complete - the sender is now set to always be rejected.

Bulk Entry

Bulk entry Blacklisting\Whitelisting is ideal if you have a large number of senders or domains to blacklist or whitelist at one time. Example uses of bulk white listing would be professional or academic colleagues that you work with. 

For example, if you had a list of three domains that were giving you trouble, rather than entering them one by one into the domain table, you could use bulk entry.

1. First, input the three domains. If you wish you can give individual comments to entries, as shown below. Those entries who do not have an individual comment will get the global comment, if you put one in. It is always recommended that you do, for ease of tracking your changes.

2. As an example, these three people are being added as "Always Allow", all at one time.

   

   IMPORTANT: You must be very sure of the action you select! Selecting the incorrect blacklist/whitelist type will cause the bulk entry form to create incorrect rules, which could result in actions being taken on mail that you did not desire - and could really increase the troubleshooting time!

   If such a case does happen, don't panic! The entries you made in the text box are saved between action changes, so at the confirmation screen, go to the bottom and select the Delete from Table option for the incorrect blacklist/whitelist type you selected previously. You can then again go down to the bottom (after the confirmation of deleted entries) and select the correct action. 

3. A confirmation message tells us where our entries were added (see how our inputted entries were saved through the action change?) 

4. After completion, in this case the Senders Table should show the added entries. Had the bulk entry is for "Senders", so its shown in the "Senders" table from the Senders link.

   

[Top]

---

Preferences

The preferences dialog is shown below.  These options allow customization of how information is displayed in the spam trap web user interface.

Display Options

These options affect the user interface to the SpamTrap:

• Number of messages to display per page controls the number of messages per page in the message summary. Allowable values are 10, 30, 50, 100 or 200. Default is 30.
• Show link for one-shot messages determines whether the “One-Shot messages” link is displayed in the message summary. If you find this link distracting, turn it off.
• Sort messages by
• Sort order controls the sort order (ascending or descending). Default is "Descending"
• Method for choosing spam-trap actions controls the type of graphical object you use to accept or reject messages - drop down list or checkboxes.
• Show relay column in trap display allows you to show or not show the "Relay" column in the message list.
• Show recipient column in trap display allows display of the "To:" field - who the email was sent to - in the message list. 
• Preferred image format allows you to change the graphic format that is displayed - PNG or JPEG.  Some browsers don't display PNG graphics correctly, so there is an alternative.
• Show the 'Actions Taken' page allows for more information to be displayed on a summary page after the SpamTrap takes a specific action.  The default is No, which causes this summary page to be skipped.
• Use simplified GUI changes the user interface from the advanced settings to the basic settings.
• Limit for COUNT queries enables a limit on the number of messages returned from the database - it is advisable that you set this to 500 or lower for more efficency.

To change your preferences, fill in the correct values for each preference and then click Update Preferences.

Stream Settings

Your "Stream" reefers to the collection of rules and policies that are used to handle potential spam.  In the simplified interface there are four streams - High, Medium, Low, and Tag Only.  When you enable the expert interface you are setting up a stream for your email account name - and no longer using the simplified streams.  For instance, you can configure your own black lists (email addresses you want discarded always), your own white lists (email addresses to always accept), and then select "Only Tag Spam".  In so doing you would have the spam trap handle email addresses as you like and allow everything else through, with the addition of a score. 

The following options pertain to spam scanning:

• Automatically reject messages scoring more than this amount - If a message scores higher than this on the spam scale, it will be automatically rejected. Use with caution! Rejected messages never make it to your spam trap, and thus never create a record of attempted delivery. It will be as if it never existed, and there is no way to retrieve a rejected message. Default is 2000.
• Spam threshold - This is the score it uses to determine if a message possible spam. A value equal or greater than this option is treated as possible spam; below is accepted and delivered to your inbox. Default is 5 for standard, 3 for aggressive. Be very careful about setting this value below 5.
• Only tag spam - do not hold any messages - If you enable this, then no messages are held in the trap because of high spam scores. the SpamTrap simply tags the subject line of each message which would have been held with the string "[SPAM:***]" and delivers it normally. The number of stars after the SPAM: tag is the integer part of the spam score. Be aware that in tag-only mode any "Reject" rules will still apply.
• String to put in tagged subjects - This is the string that gets prepended to the subject line in tag-only mode. The default setting is [Spam:%* %?]. Note that the string %* gets replaced with a string of asterisks, where the length of the string equals the integer part of the spam score. Also, the string %? gets replaced with the reason a message was tagged, such as SpamScore, HoldSender, etc. Finally, the string %d gets replaced with the actual spam score as a decimal number.Hold messages from hosts in administrator's real-time "Hold" blacklists - Use the real-time hold blacklist to catch spam. Default is "No".
• Reject messages from hosts in administrator's real-time "Reject" blacklists - Use the real-time reject blacklist to reject spam. Default is "No".

There are two preference options that can be used to create a "daily reminder" of spam in the trap.  If you enable "Send e-mail notification of pending messages" and configure a valid email address in "E-mail address for notification of pending messages" you will be notified daily of how much spam is in the spam trap for you.  Messages are generated over night.

Opt In/Out

You can actually opt out of spam processing.  Note that the spam trap caches information on who is enrolled in spam processing - it will take at least an hour for the system to recognize that you have opted out.  You click on the "Click to Opt OUT of spam-scanning" button in order to opt out.

If you wish to opt-out of the the SpamTrap service, you may do so here, by pressing the "Opt OUT of spam-scanning" button.

[Top]

---

Show Message Pages

You can see details about the individual messages by clicking on the Subject line or the Date entry for each message shown on the Trap Contents page.  For instance, the message shown below is an example of an advertisement from "buy.com", a large Internet e-tailer.  Here you will be able to see the first 8kB of the message body. 

Note that some spammers try to hide messages by encoding them using Base64 encoding (a special encoding for transmitting binary data). Click on "Base64-Decoded Message" on the message display to decode the message. You can also click on "Strip HTML Tags" to more easily read the text of HTML messages.

Spam Score

To see why the spam trap scored a particular message as spam, you can click on the Date and then navigate to the bottom of the page.  There is a list of rules which the system uses in order to classify email and score email as spam.  Here, there were several rules with various weights that came up with an aggregate score of 5.5.

[Top]

---