The ASAV Gateway is an anti-spam and anti-virus solution implemented at network level by the ITSC for CWEM users. The Gateway is composed by hardware, anti-spam software and anti-virus software. It is installed before the campus-wide email system (CWEM) in the campus network as shown in Diagram A below.
In addition to anti-spam and anti-virus functions, the ASAV Gateway also provides quarantine servers, virus outbreak filters, contenting filtering, recipient validation and double-byte character sets support.
How Does the ASAV Gateway Identify Spam?
- Sender-based Reputation Filtering - By IP Addresses
Sender-based reputation filtering identifies spam based on the connecting IP address. It can block spam as soon as it reaches the Gateway. This increases the effectiveness of second layer content-based filtering. Sender-based reputation filtering can also protect mail systems from the attack of viruses and "hit and run" spam attacks that create sudden and unexpected spikes in message volume. (Refer to 10. References)
- Content-based Filtering - By Ironport Anti-Spam
Content-based filtering of the ASAV Gateway is performed by Ironport Anti-Spam. It uses heuristics filters, URL filters, signature filters, header filters and many more types of filters to determine if an-email is a spam. (Refer to 10. References)
How Does the ASAV Gateway Dispose of Spam?
- Positive Spam
Emails identified by sender-based reputation filtering as spam are classified as positive spam. When a positive spam is identified, either the connection between the sending computer and the gateway will be disconnected or an error message will send to the sending computer. In both cases, the gateway will not accept the emails.
- Suspected Spam
Emails that identified as spam by content-based filtering are classified as suspected spam. Suspected spam will be moved to a quarantine server from which their recipients can retrieve and choose to release or delete.
How to Access Suspected Spam in Quarantine Server?
Users may view the suspected spam in the quarantine server and choose to delete them or release them.
- Daily Digest of Quarantined Emails
- Access to Spam Quarantine Server
- Disposal of Suspected Spam
Suspected spam can be viewed and then selected to be deleted or released as shown in Diagram D below.
If a suspected spam is released, it will be routed through the Gateway again for virus scanning. All suspected spam in quarantine server will be deleted after 21 days.
How Does the ASAV Gateway Detect Email Viruses?
How Does the ASAV Gateway Dispose of Email Viruses?
Where to Report False Positives and False Negatives?
False positives are e-mails that are wrongly identified as spam while false negatives are spam that are regarded as normal e-mails. Users can submit information including e-mail header of the false positives or the false negatives to ITSC through the ITSC Service Desk.
E-mails released by users from the quarantine server are not automatically reported as false positives.
Other Features of the ASAV Gateway
- Virus Outbreak Filters (VOFs)
Historically, as new viruses or variants hit the Internet, the most critical time period is the window of time between when the virus is released and when the anti-virus vendors release an updated virus definition. Having advanced notice, even a few hours, is vital to curbing the spread of malicious code. During that vulnerability window, a modern virus can propagate globally, bringing email infrastructure to a halt.
Incorporated in the ASAV Gateway there are virus outbreak filters (VOFs) proactively provide a critical first layer of defense against new outbreaks. By detecting new outbreaks in real-time and dynamically responding to prevent suspicious traffic from entering the campus network, the VOFs offer protection until new virus signature updates are deployed.
After a virus outbreak is identified, all messages related to the outbreak will be sent to the VOF outbreak quarantine area in the ASAV Gateway. The VOF outbreak quarantine is only a temporary holding area until new virus definitions have been created and the anti-virus software of ASAV Gateway updated. After the outbreak quarantine timeout period, i.e. 15 hours, the messages are released from the outbreak quarantine and run through the anti-virus filter again. (Refer to 10. References)
- Content Filtering
The ASAV Gateway can create content filters to be applied to messages on a per-recipient or per-sender basis. Content filters are similar to message filters, except that they are applied after message filters processing and anti-spam and anti-virus scanning have been performed on a message. (Refer to 10. References).
- Recipient Validation
Working with the existing LDAP infrastructure, the ASAV Gateway can validate a receiving email address. If a receiving email address is not valid, an error will be returned to the sender. The Gateway can also be configured to combat directory harvest attacks (DHA).
- Double-Byte Character Sets Support
The ASAV Gateway supports double-byte character sets. Message filters can be created to scan the body or headers of messages that contain double-byte, variable length, or non-ASCII encodings such as Traditional Chinese (Big 5), Simplified Chinese (GB 2312), Simplified Chinese (HZ GB 2312), Korean (ISO 2022-KR), Japanese (ISO-2022-JP) and etc. This feature enables the ASAV Gateway identify spam and virus in languages other than English.
- Any way to retain the emails in the quarantine servers for a longer period?
The default retention period for suspected spam in quarantine servers is 21 days. It is a global setting that cannot be changed for individual user. However, a user can make a special request to not storing suspected spam in the quarantine servers. In this case, the suspected spam after adding a prefix of "[spam 75-89]" or "[spam 90-100]" by the Gateway to its subject for easier identification, will be delivered directly to the inbox of the user's mailbox. Please write to ITSC Service Desk at http://servicedesk.itsc.cuhk.edu.hk.
- Can the ASAV Gateway send an alert message to sender of a "suspected spam" notifying him/her that the email has been moved to quarantine servers?
Since the recipient will be notified through daily digest of quarantine spam, we choose not to send alert message to the sender. Furthermore, majority of spam is sent in forged email addresses, sending alert message will only cause nuisance to the owner of these email addresses.
- How long will it take for an email released from quarantine server to be delivered to one's mailbox?
In a minute, it depends.
- Can I not receive the "Digest of the Quarantined Emails"?
Sorry that the Anti-spam and Anti-virus gateway does not provide an option to allow individual user not receiving the spam digest.
- Will I still receive a digest if no spam is reported on that day?
No, you won't.
- Will department mass mailings regarded as spam by ASAV Gateway?
The ASAV Gateway should not identify department mass mailings as spam. However, if it does, please write to ITSC Service Desk at http://servicedesk.itsc.cuhk.edu.hk.
- Can the frequency of "Digest of Suspected Spam" be increased so that emails that are falsely identified as spam can be released sooner?
The suspected spam quarantine servers are updated whenever there are spam identified. User can login the quarantine servers whenever they want to check for suspected spam quarantined without waiting for the daily digest of suspected spam.
- Can a CWEM user choose to opt-out of the anti-spam and anti-virus scheme entirely?
The ASAV Gateway does not provide an opt-out choice for the anti-spam and anti-virus scheme entirely.