In 2017 a lot happened in the field of cyber safety. As in previous years, LISA has taken actions and measures have been implemented to protect the university community as well as possible. We, like many other institutions, use SURF's scan service, SURFmailfilter. This service takes care of the detection of spam and the removal of malware.
Greylisting
The first measure is the so-called greylisting. A new computer that wants to send mail is initially refused. Only when a second attempt is made to deliver the same mail the mail is accepted. This principle is based on the fact that a spammer sends so much spam that he is not worried whether or not a mail arrives. He will therefore not check whether mail is accepted and does not offer the mail a second time. A normal mail server will save the mail and try again five minutes later. Then the mail is accepted immediately.
The graph above shows that an average of 20,000 computers can deliver mail, while nearly 3 million computers try to do so. We can reasonably assume that we are stopping a lot of spam.
Spam detection
What kind of mail is delivered by those 20,000 computers? Unfortunately, still a lot of spam. If, within a legitimate organization, spam is sent by, for example, an infected computer, the mail goes through the standard mail servers of that organization. Those servers will also offer the spam again after five minutes, just like they do with normal mail.
As you can see, almost 40% of the mail that is accepted is still spam.
What is done with this mail?
This spam is, like the legitimate mail, forwarded to the university's mail server. A tag that is added by SURFmailfilter is looked at. If that tag indicates that the mail is spam, it is placed in the Junk folder. This offers the possibility that the user can still find "missing" mail.
The mail in the Junk folder is deleted after thirty days to prevent the mailbox from filling up with rubbish.
For more information about spam, spam filters and other measures to protect you, contact CERT-UT.
