Frequently Asked Questions

General Questions:

• What is VUmailguard?
• What methods are used to mitigate email attacks?
• What are DNS block lists (DNSBLs)?
• What is throttling?
• What is Sender Policy Framework (SPF)?
• What is the VUmailguard message size limit?
• What is spam?
• What is VU doing about spam?
• Why Proofpoint?
• How does spam filtering work?
• What email addresses are filtered?
• What if my Vanderbilt email is forwarded to another address?
• Why am I getting fewer messages than I used to?
• How do I report spam that I received (spam false negatives)?
• I didn't receive a message I was expecting; is it because of that Proofpoint thingy?

Usage Questions:

• How do I choose what happens to my mail?
• What's a "quarantine?"
• What's a "digest?"
• Are quarantined messages confidential?
• Do quarantined messages count against my quota?
• How often is the digest delivered?
• What does "tag and pass" mean?
• Can I disable digest messages?
• Can I request a digest at any time?
• What are safelists and blocklists?

 

General Questions:

Q: What is VUmailguard?

VUmailguard is the deployment of a modular based electronic messaging security product, featuring email firewall, anti-virus and anti-spam filtering modules, designed to help keep the Vanderbilt network safe from email attacks.

Q: What methods are used to mitigate email attacks?

When a message is received into the Vanderbilt network, the message is processed by the following modules, respectively.

1. Email Firewall

   The email firewall module is the first line of defense and blocks based upon connection and message criteria.

   • Connection criteria would include the sending email server's reputation (DNSBLs) or behavior (throttling) e.g. a server has a known reputation of sending spam/viruses around the Internet, or a server is sending a high percentage of spam/viruses into the Vanderbilt network.
   • Message criteria would include criteria such as SPF receiver side rules, message size limits, and specific high-risk attachments.
2. Anti-Virus

   The anti-virus module guards against virus infections including zero-hour outbreaks. VUmailguard scans for viruses prior to an email message ever being analyzed as possible spam.

   Note: No notification is sent to the sender of messages containing viruses that are quarantined.

3. Anti-Spam

   Once the message is deemed to be clean, the anti-spam module assigns a numeric probability that the email is spam.  Based on the probability score several things will happen.  First, all messages scored at 99 or 100 are dropped without notification by default unless the sender's email address has been added to a safe list.  Even if you selected the tag and pass disposition option, the global policy for Vanderbilt University is to drop these messages that achieve this high of a score unless the sender's email address has been added to a safe list.     
         

   • Tag and Pass – All messages are delivered to the mailbox with a tag added to the message header unless scoring 99 or 100.
   • Quarantine and Digest (default) – All messages 0-69 are delivered to the mailbox, all messages 70-98 are quarantined.
   • Quarantine and Digest (strict) – All messages 0-49 are delivered to the mailbox, all messages 50-98 are quarantined.

All of this happens in milliseconds, as the VUmailguard service handles over 30 million messages per month.

return to top

Q: What are DNS block lists (DNSBLs)?

DNS blocklists are a published set of IP addresses that are in a format that can be easily queried by computer programs. Generally, this is a list of IP addresses that should be avoided. For email purposes, the DNSBLs are a list of IP addresses that are known to be senders of spam and malware. For more information about DNSBLs, see the Wikipedia entry for DNSBLs.

Currently, Vanderbilt University uses the following DNSBLs:

• Composite Blocking List
• spamcop.net
• Not Just Another Bogus List
• Proofpoint Dynamic Reputation

return to top

Q: What is throttling?

Throttling restricts traffic initiating from specific IP addresses by analyzing the messages from the connections in real time and applying policies according to what it discovers from the analysis. For example, if 50% of the email originating from a specific IP address over a 24 hour period is infected with a virus or contains spam, VUmailguard will apply a rule to reject the messages originating from that IP address for a period of time. VUmailguard may also restrict the number of connections it accepts from IP addresses that are suspected of threatening the Vanderbilt network with a Denial of Service Attack (DOS) or Directory Harvest Attack (DHA).

return to top

Q: What is Sender Policy Framework (SPF)?

Sender Policy Framework (SPF) is an anti-spam protocol that allows you to authenticate or verify the domain of an email sender. This protocol is useful in deterring spammers who often disguise their true Internet address by pretending that their email comes from a legitimate domain.

Each domain that provides support for SPF has an entry in their Domain Name System (DNS) that describes unique attributes about their mail system and a list of authorized senders. A SPF client program or receiver, in this case –VUmailguard – sends a DNS query to the domain from which the email supposedly originated to determine if the sender is legitimate. When the SPF client program evaluates an SPF record, it produces one of several results or conditions, which are predefined by the SPF protocol and included as rules in the VUmailguard SPF feature. The results of the DNS query will determine if VUmailguard should accept the email.

return to top

Q: What is the VUmailguard message size limit?

The VUmailguard message size limit is based upon several criteria.

• Overall message size: The total size of a message cannot exceed 30 MB.
• Attachment count: The total number of attachments in a message cannot exceed 256.
• Individual attachment size: No single attachment in a message can exceed 20 MB.
• Archived attachment e.g. zip, tar, sit, etc.:
  • No single file within an archived attachment can exceed 20 MB.
  • The total number of files within an archived attachment cannot exceed 256.
  • The maximum folder depth within an archived attachment cannot exceed 20.

return to top

Q: What is spam?

Spamming is commonly defined as the sending of unsolicited bulk e-mail - that is, email that was not asked for (unsolicited) and received by multiple recipients (bulk). A further common definition of spam restricts it to unsolicited commercial e-mail, a definition that does not consider non-commercial solicitations such as political or religious pitches, even if unsolicited, as spam.� This definition is directly copied from the Wikipedia definition for SPAM (electronic).
return to top

Q: What is VU doing about spam?

Vanderbilt University ITS has implemented the Proofpoint Protection Server as well as subscribed to several real-time Blocking Lists to help manage spam for Vanderbilt University.  Currently all VUmail, VUexchange, VU Gmail, and VUMC exchange users are enrolled in the service.
return to top

Q: Why Proofpoint?

After comparing all of the enterprise class products for spam management, the Email Implementers team decided that Proofpoint provides the most sophisticated evaluation engine available, and the fewest errors in determining whether an email is spam. While cost and feature sets were also compared, the accuracy of the software was the determining factor, and Proofpoint is the clear industry leader.
return to top

Q: How does spam filtering work?

Proofpoint MLX technology examines over 50,000 mail attributes to assign a numeric probability that a particular piece of email is spam. It also includes machine learning algorithms that predict new spam mutations, and is constantly updated to keep up with the ever-changing methods of spammers.
return to top

Q: What email addresses are filtered?

Only email sent to your @vanderbilt.edu address will be filtered. Any messages sent to other accounts, such as yahoo mail or hotmail, will not be scanned, even though you may review those messages on campus.
return to top

Q: What if my Vanderbilt email is forwarded to another address?

All email sent to you using your @vanderbilt.edu address are filtered before they are forwarded elsewhere. Quarantine digest messages (see What's a digest? below) are forwarded like your other email.
return to top

Q: Why am I getting fewer messages than I used to?

By default, when VUmailguard detects that an email message is spam, that message is "quarantined." You will receive a daily digest message, listing all of the senders and subject lines of messages which have been quarantined. If there is a message that you want to examine, you can release the message, and it will be delivered to your mailbox. You can also change your disposition so that spam is marked in the message header but delivered to you, and your local email client can perform the filtering. Or you may have VUmailguard ignore your mail, so that all mail, spam or not, is delivered normally. For more information, see the Usage questions below.
return to top

Q: How do I report spam that I received?

The best method to report spam false negatives is to send the original spam message to vumailguard-review@vanderbilt.edu. Simply forwarding the message does not include the necessary information needed to examine the message headers for information about the origin of the message.

These instructions are not currently applicable to Outlook Web Access (OWA).

The following instructions work with Outlook 2003, Outlook 2007, and Entourage.

1. Create a new message and address it to vumailguard-review@vanderbilt.edu.
2. Drag the original spam message from the Inbox into the new message window. The original spam message should now show as an attachment in the new message.
3. Send the new message. The original spam message will then be examined and reported to the vendor. The vendor will include new criteria so that future spam messages are quarantined.

If not using the above email clients, forward the original spam message to vumailguard-review but be sure to include the message headers. If you need assistance with any of these instructions, please contact your local support provider.

return to top

Q: I didn't receive a message I was expecting; is it because of that Proofpoint thingy?

Probably not, Proofpoint has the lowest error rate of any anti-spam technology currently available. However, if a message is quarantined in error, you can still release the message via the daily digest.
return to top

Usage Questions:

Q: How do I choose what happens to my mail?

There are three possible dispositions for your email. By default, you are placed in the "quarantine and digest (default)" group (see quarantine and digest below). However, you may change your disposition to "tag and pass," or "quarantine and digest (strict)". To change your disposition, login to the VUnet Modify Personal Options page (https://www2.vanderbilt.edu/vunet/modify.html) and make your choice under "VUmailguard Anti-Spam Disposition Options" .
return to top

Q: What's a "quarantine?"

When a piece of email is sent to any.address@vanderilt.edu, VUmailguard scans the message to determine if it is spam. If it is spam, VUmailguard reroutes the message to a large storage area on a separate server. This prevents spam from cluttering up your Inbox. VUmailguard sends you a daily digest email with the subjects and senders of all the messages which were moved to the quarantine. Unreleased messages are deleted from the quarantine after 14 days.
return to top

Q: What's a "digest?"

If your email disposition is set to "quarantine and digest", VUmailguard sends you a daily email message which includes a list of the senders and subject lines for each of your quarantine messages. To view an email in the list, click "release" in the message, and the quarantine delivers that message with "released" added to the subject line. Daily digests only include messages quarantined since the last digest. However, you can request a comprehensive digest with all of the messages in your quarantine. To do this, click the link labeled "Request New Quarantine Digest" in any digest message.
return to top

Q: Are quarantined messages confidential?

Quarantined messages are treated with the same level of confidentiality as all email at Vanderbilt: Access to email without the permission of the recipient can only be authorized by a Vice-Chancellor or the Director of Human Resources.
return to top

Q: Do quarantined messages count against my quota?

No. Quarantined messages are stored on a separate server, and do not count against your email quota unless they are released to your Inbox.
return to top

Q: How often is the digest delivered?

Digests are mailed each day at approximately 12:01 a.m.
return to top

Q: What does "tag and pass" mean?

If you set your email disposition to "tag and pass", all your email is scanned, but messages likely to be spam are not quarantined. Instead, the message is delivered to your mailbox with a tag added to the message header. You can then set up filter rules in your local email client (Outlook, Thunderbird, Mulberry, etc.) based on that line in the header. (Recommended for advanced users only.)
return to top

Q: Can I disable digest messages?

Yes, digest messages can be disabled.  Your daily digest message provides a link called "Manage My Account".  Select this link then select "Profile" and two check boxes appear.  The check box labeled "Send digest with new messages in my Quarantine Digest" enables or disables the receipt of the daily digest.  The check box labeled "Send digest even when I have no messages in my Quarantine Digest" enables or disables the receipt of an empty digest.
return to top

Q: Can I request a digest at any time?

Yes, a digest can be requested at any time by selecting the link labeled "Request New Quarantine Digest."  This action produces a summary digest that contains all messages sent to your email address that were quarantined for the past 14 days including messages up to the hour of your new digest request.
return to top

Q: What are safelists and blocklists?

A safelist is a list of addresses which should never be counted as spam, no matter what the result of the anti-spam scan. Likewise, a blocklist is a list of addresses which are always blocked as spam, no matter what the result of the anti-spam scan. You can add and remove addresses to your own safelist and blocklist.

If an email that you have requested, like a newsletter, appears in your digest message quarantine list, you might want to add the sender's email address to your personal safelist. Click on the link to "Safelist" next to that entry in the digest, and the sender's email address will be added to your personal safelist. At the same time, that message is released from quarantine and delivered to your inbox.

To create a blocklist, or to edit a safelist or a blocklist, click on "Request Safe/Blocked Senders List" in your daily digest message. An email showing all of your current safelist and blocklist addresses is sent to your inbox. (If you have never safelisted an address from the digest before, the email is still sent, but the lists may be empty.) Click the "Add" button next to "Safe Senders List" or "Blocked Senders List" to add a new address, or click the "Remove" button next to any address which you want to delete.

Certain sources of email are always delivered to users. These sources are on a system-wide safelist, and are never blocked. A system-wide blocklist is available at https://its.vanderbilt.edu/blocklist [forthcoming]. To find out if an address is on the system-wide safelist, contact ITS Partner Support at its-partner@vanderbilt.edu, 6-4877.
return to top