Email Spam Filtering
What is the Spam problem, and what is BrightMail?
In recent years, unsolicited bulk emails (spam) have become an increasing problem. Many people are finding their inboxes flooded with increasingly offensive spam - perhaps 100 spam messages per useful message.
Dealing with this problem is quite tricky, because there is no objective definition of what precisely constitutes a spam email, and thus the problem of taking an email message and reliably categorising it as spam or non-spam is a hard problem, with no single perfect solution. However, this problem is receiving serious attention world-wide nowadays, and several systems are now available which use a variety of techniques to detect spam.
CSG have investigated several spam-detection techniques - SpamAssassin and Dspam in the past - and have now settled on a commercial anti-spam and anti-virus package called BrightMail from Symantec. BrightMail automatically downloads new anti-spam and anti-virus tests - updating itself every few minutes - and claims to largely solve the spam problem by detecting the bulk of spam mail - but not all - while having an astonishingly low 1-in-a-million false positive rate.
What does CSG's installation of BrightMail do?
On both Departmental mail servers the Exim mail server software now hands all email messages to BrightMail for checking before Exim's normal mail processing starts. BrightMail runs all its tests on the message and comes to a verdict.
BrightMail verdicts, and Exim's response to them, can be summarised as:
BrightMail Verdict
Exim Response
Non-spam
Leave unmarked; deliver normally
Known virus
Delete it silently!
Virus checking failure [rare]
Mark it by prefixing "[WARNING: NOT VIRUS CHECKED]" onto the Subject line; then deliver normally!
Spam content - 99.9999% certain
Mark it by adding the headers X-BrightMail-Spam-Flag: YES and X-Spam-Flag: YES, then deliver normally
Spam from a blocked (recently blacklisted) IP address
Mark it by adding the headers X-BrightMail-Spam-Blocked: YES and X-Spam-Flag: YES, then deliver normally
Might be spam [rare]
Mark it by adding the headers X-BrightMail-Spam-Maybe: YES and X-Spam-Flag: YES, then deliver normally
Note that the X-Spam-Flag: YES header is added to maintain backwards compatibility with the previous SpamAssassin system.
Any of these headers may be used by your .forward file in order to handle spam specially, we'll cover this shortly.
Please understand clearly that this is all that BrightMail does. It scans messages, deletes viruses, and then (optionally) adds some of the headers as shown above. It does not delete spam email, store spam messages in a different place, register spam messages with off-site spam databases, or anything else like that.