Raggedstaff Internet
The friendly ISP
 

Content filters



What is a content filter?

Content filters are applied after the mail has arrived and involve carefully inspecting the content of the mail headers and body. Because the whole message is available to our content filters it is possible to detect malware more accurately than with envelope filters. On the down side though, content filtering is slower and more demanding on our servers.

Two types of content filter are used by Raggedstaff Internet - virus detection and spam detection. We use ClamAV to check incoming mail for viruses and SpamAssassin technology to achieve considerable accuracy in detecting SPAM. We give you great flexibility in deciding how mail is tested and what happens to mail that fails the tests.

You can apply content filters to each email address individually, or to a whole domain. You can apply different policies to different addresses. Tests are carried out on the basis of the address the mail enters our servers addressed to. If you use mail redirection, tests are carried out on the basis of the address the mail arrived at our servers for, not the address to which it is redirected.

Using content filters we estimate that over 99% of spam and nearly 100% of viruses sent to Raggedstaff are detected. Spam detected using content filters is marked, either in the Subject header or special X-Spam-* headers, and passed on to be filtered by your email software.

Policies

A policy is a collection of test settings. The policy defines which tests are carried out and what happens to mail that fails a test. You can select from our pre-defined policies or you can define one yourself to meet your particular needs.

Pre-set policies

We provide several pre-set policies that you can use:

No checks
No checks are carried out - all mail is passed. This is the default policy and is applied unless you specifically set a different policy for mail to your domain.
Defang viruses
Messages are checked for viruses. Infected messages are 'defanged' - passed on to the recipient as an attachment to a message warning that the attached message is infected with a virus.
Block viruses
Messages are checked for viruses. Infected viruses are blocked and the recipient receives a message advising them that an infected message was found.
Defang viruses, add spam headers
Mail is checked for both viruses and spam content. Virus infected messages are 'defanged'. Additional headers (see below) are added indicating if the message is SPAM, allowing filtering of SPAM to be done by the recipients email software.
Block viruses, add spam headers
Mail is checked for both viruses and spam content. Virus infected messages are blocked. Additional headers are added indicating if the message is SPAM, allowing filtering of SPAM to be done by the recipients email software.
Defang viruses, tag spam (6.9)
Mail is checked for both viruses and spam content. Virus infected messages are 'defanged'. As well as additional headers, if the message scores above 6.9 in spam checks the message subject is pre-pended with "*** SPAM ***".
Defang viruses, tag spam (10)
As "Defang viruses, tag spam (6.9)", except the message subject is changed only if the Spam score exceeds 10.
Block viruses, tag spam (6.9)
As "Defang viruses, tag spam (6.9)", except that virus infected messages are blocked.
Block viruses, tag spam (10)
As "Defang viruses, tag spam (10)", except that virus infected messages are blocked.

Customising policies

You can not alter the pre-set policies, but you can create your own custom policies. A new policy is based on an existing one, so start by studying the existing policies and selecting the one that most closely meets your needs. You can see a list of existing policies and create a new one from the policy list page.

Once you have created your policy, you can edit it. Below is a brief explanation of what each of the settings does. Depending on which services you have purchased, not all the options described here may be available to you.

Policy name
The name given to the policy
Description
A helpful description of the policy
Virus checks
Whether or not to check for viruses. Note that if a message has multiple recipients it may still be checked if another recipient has enabled virus checks
Spam checks
Whether or not to check for spam. As with virus checks, checks may still be carried out sometimes
Banned file checks
Whether or not to check for banned files. As with virus checks, checks may still be carried out sometimes
Bad header checks
Whether or not to check for invalid characters in headers. As with virus checks, checks may still be carried out sometimes
Virus action
The action to carry out on finding a virus. Either block it or "defang" it
Banned file action
The action to carry out on finding a banned file. Either block it or defang it.
Add X-Spam-Level above
The spam score above which X-Spam-Level and X-Spam-Status headers are added
Add X-Spam-Flag: YES above
The spam score above which X-Spam-Flag headers are added and the subject is tagged, if selected.
Tag subject
Whether or not to prepend a tag to the Subject of messages with a high Spam score (see "Add X-Spam-Flag: YES above") indicating that it is SPAM.
Subject tag
The tag to pre-pend to the Subject of mail detected as SPAM
Warn virus recipient
Whether or not to advise recipients of blocked viruses that a message was blocked
Warn recipients of banned files
Whether or not to advise recipients of blocked banned files that a message was blocked

"Defanging"

'Defanging' is a way of passing the original message on to the recipient, but reducing the risk that viruses or malicious files may be run accidently. The message is sent on as an attachment to a warning message. The recipient can still open the original message exactly as it was if they wish, but will first see a warning advising them of the potential problem.

The wrapper message for defanged mail will have the X-Amavis-Modified and X-Amavis-Alert headers set, enabling them to be routed to separate folders if required.

Additional headers

X-Spam-* headers

Up to three X-Spam-* headers may be added to mail that has receives a positive score from Spam tests.

X-Spam-Flag: YES

This header is added to mail with a Spam score greater than the value set for "Add X-Spam-Flag: YES above"

X-Spam-Level

This header is added to mail with a Spam score greater than the value set for "Add X-Spam-Level above". The contents of the header is a string of "+" characters. The number of "+" characters is equal to the spam score, rounded down to the nearest whole number. With better email software this is useful for filtering into different folders depending on score.

X-Spam-Status

This is added to mail with a Spam score greater than the value set for "Add X-Spam-Level above". It contains details of the spam tests failed, the score received and other settings.

Examples

X-Spam-Status: Yes, hits=11.487 tagged_above=3 required=6.9
tests=[BAYES_99=3.5, HTML_90_100=0.022, HTML_MESSAGE=0.001,
MIME_BASE64_BLANKS=1.469, MSGID_OUTLOOK_INVALID=2.7,
RAZOR2_CF_RANGE_51_100=0.056, RAZOR2_CHECK=1.511, RCVD_BY_IP=0.067,
RCVD_ILLEGAL_IP=0.944, RCVD_IN_BL_SPAMCOP_NET=1.216, RCVD_IN_NERD_DK=0.001]
X-Spam-Level: +++++++++++
X-Spam-Flag: YES

X-Amavis-*

These headers are added by the content filter when bad files (viruses, banned file names etc) are detected but passed on to the user. They may be used for filtering in your email software.

X-Amavis-Alert

This header has the content "INFECTED" for virus infected messages, or "BANNED" for messages containing banned file names. This is followed by some detail about the malware.

X-Amavis-Modified

This header is added to messages that are 'defanged'.

Examples

X-Amavis-Modified: Original mail wrapped as attachment (defanged) by rupert.raggedstaff.net
X-Amavis-Alert: INFECTED, message contains virus: Eicar-Test-Signature