Carnegie Mellon University Website Home Page
 
Skip navigation and jump directly to page content
Documentation Index
Email
Spam Filtering
Mail Filter
The "mailto:" Tag
Spam Resistant E-mail List
Spam Filter through MyAndrew
Spam Filter through Portal
How the Andrew Spam Filter Works
Accounts
Network, Phone & TV
Software
Email & Calendar
Secure Your Computer
Clusters & Printing
Web Services
Classroom & Event Support
Education & Outreach
Support & Repair
Information Security Office (ISO)

How the Andrew Spam Filter Works

The Andrew Spam Filter is implemented using a product called PureMessage by Sophos. PureMessage is a mail filter that uses a rule base to perform tests on e-mail and identify spam. The PureMessage software works in conjunction with our Cyrus mail server and performs these tests on all mail received by the server. However, mail sent through the Andrew outgoing mail server (SMTP.ANDREW.CMU.EDU) is NOT scanned by PureMessage.

Note: Mail sent via the Andrew outgoing mail server that must go out to another server before being delivered to the Cyrus server will be scanned by the Andrew Spam Filter. For example, if you send mail using the Andrew outgoing mail server to a "user@cmu.edu" address, that mail is sent to the cmu.edu server and then to the Cyrus mail server. Because the Cyrus mail server receives the mail from a server other than the Andrew outgoing mail server, that mail will be evaluated and scored by the Andrew Spam Filter.

Following is an overview of how the Andrew Spam Filter handles your incoming mail.

  1. All mail received by the Cyrus mail server is scanned by the Andrew Spam Filter.
    All incoming e-mail received by the Cyrus mail server is scanned for signs that it may be spam. This scan is performed regardless of whether you have enabled the spam filter. The Andrew Spam Filter contains a series of conditions or rules that it checks against each piece of mail. Remember, mail sent through the Andrew outgoing mail server (SMTP.ANDREW.CMU.EDU) is NOT scanned or "scored".
  2. The Andrew Spam Filter offers a percentage score for your email.
    Each condition or rule within the Andrew Spam Filter has a grade. The total score for a piece of e-mail is the sum of the grades for each of the conditions that the mail matches. PureMessage then takes this score and converts it into a percentage likelihood that the message is spam.
  3. If an e-mail has a percentage of 50 or higher, a line containing the score and reason for the overall score is inserted in the header of the "spam" message.
    Following is an example of the information that might be added to the header of your mail message. The information within parenthesis includes the reasons for the overall score for the message (in this case, 92%).

    X-Spam-Warning: 92% (URI_CLASS_HEALTH_DOMAIN 8, CTYPE_JUST_HTML 0.848, LIMITED_TIME_ONLY 0.461, BIG_FONT 0.146, CLICK_HERE_LINK 0.131, HTML_50_70 0.092, CLICK_BELOW 0.089, __CTYPE_IS_HTML 0, __UNUSABLE_MSGID 0, __CLICK_BELOW 0, __CLICK_HERE_LINK 0, __TAG_EXISTS_BODY 0, __MIME_HTML 0, HTML_FONT_COLOR_YELLOW 0, __MIME_HTML_ONLY 0, __TAG_EXISTS_HTML 0, __TO_MALFORMED_2 0, __MIME_VERSION 0, __EVITE_CTYPE 0, __CT 0, __CTYPE_HTML 0)
  4. Depending on which spam filter option you selected, mail messages with a percentage less than 50 are delivered to your INBOX. Depending on which spam option you chose, the Andrew Spam Filter either discards or files e-mail messages with an overall percentage score of 50 or greater into your INBOX.spam folder (or another folder that you designated) with the FOLLOWING EXCEPTIONS:
    • E-mail sent using the Andrew outgoing mail server (SMTP.ANDREW.CMU.EDU) is NOT scanned by the Andrew Spam Filter. Therefore, it is not evaluated for signs of spam and will not be filtered. However, if mail is sent via the Andrew outgoing mail server but is not directly delivered to the Cyrus mail server it is scanned by the Andrew Spam Filter. This is the case if you use the Andrew outgoing mail server to send mail to a "user@cmu.edu" address. The mail is first sent to the cmu.edu server. The Cyrus mail server then receives the message from cmu.edu and the message will be evaluated and scored by the Andrew Spam Filter.
    • Unless you selected the option to DISCARD spam, conditions set using your Accept list are checked before e-mail is filed into your spam folder. If an e-mail meets one of the Accept list criteria, it is automatically delivered to your INBOX regardless of its score.
    • Likewise, conditions set using your Filter list are also checked before e-mail is delivered to your INBOX. If an address or domain has been added to your Filter list, the mail is automatically filed in your spam folder OR discarded, even if it has not been flagged as spam. (Unless the address is also on your Accept list. Unless you selected the option to DISCARD spam, the Accept list takes precedence over conditions set in the Filter list.)

You must perform maintenance on your INBOX.spam folder.
 It is up to you to decide whether to delete or keep the mail filed in your spam folder. Spam is not normally highlighted as being "unwanted" mail. The Andrew Spam Filter has identified common aspects of spam and used this information to develop its rules. Because legitimate e-mail can sometimes be mistaken as spam, you should review the mail in your spam folder before deleting it. You must also regularly clean out your INBOX.spam folder to avoid filling your mail quota.

If you find that spam from a particular source is not being filtered, or that legitimate mail is inaccurately being filtered, customize your Accept list or Filter list to accommodate these domains or e-mail addresses.

Last Updated: 9/26/06