Information Technology Services Centre - Anti-spam & Anti-virus (ASAV) Gateway
  • Submit
  • Anti-spam & Anti-virus (ASAV) Gateway

    The ASAV Gateway is an anti-spam and anti-virus solution implemented at network level by the ITSC for CWEM users. The Gateway is composed by hardware, anti-spam software and anti-virus software. It is installed before the campus-wide email system (CWEM) in the campus network as shown in Diagram A below.

    asav a
    (Diagram A)


    Every email addressed to This email address is being protected from spambots. You need JavaScript enabled to view it. is routed through the ASAV Gateway for spam and virus scanning. Diagram B below illustrates the processes that an email will be undergone before it is delivered to the mailbox of a CWEM user.

    asav b
    (Diagram B)


    In addition to anti-spam and anti-virus functions, the ASAV Gateway also provides quarantine servers, virus outbreak filters, contenting filtering, recipient validation and double-byte character sets support.

    dummy image
    1. How Does the ASAV Gateway Identify Spam?

    Identification of spam at the ASAV Gateway is performed by a two-layer approach of sender-based reputation filtering and content-based filtering of Ironport Anti-Spam.
    1. Sender-based Reputation Filtering - By IP Addresses
      Sender-based reputation filtering identifies spam based on the connecting IP address. It can block spam as soon as it reaches the Gateway. This increases the effectiveness of second layer content-based filtering. Sender-based reputation filtering can also protect mail systems from the attack of viruses and "hit and run" spam attacks that create sudden and unexpected spikes in message volume. (Refer to 10. References)

    2. Content-based Filtering - By Ironport Anti-Spam
      Content-based filtering of the ASAV Gateway is performed by Ironport Anti-Spam. It uses heuristics filters, URL filters, signature filters, header filters and many more types of filters to determine if an-email is a spam. (Refer to 10. References)

     

    dummy image
    1. How Does the ASAV Gateway Dispose of Spam?

    Spam identified by the ASAV Gateway is classified into two categories, i.e. positive spam and suspected spam.
    1. Positive Spam
      Emails identified by sender-based reputation filtering as spam are classified as positive spam. When a positive spam is identified, either the connection between the sending computer and the gateway will be disconnected or an error message will send to the sending computer. In both cases, the gateway will not accept the emails.

    2. Suspected Spam
      Emails that identified as spam by content-based filtering are classified as suspected spam. Suspected spam will be moved to a quarantine server from which their recipients can retrieve and choose to release or delete.

     

    dummy image
    1. How to Access Suspected Spam in Quarantine Server?

    The ASAV Gateway has a quarantine server for storing suspected spam. Each user of the CWEM system has his/her own separate storage in the quarantine server for his/her suspected spam received at This email address is being protected from spambots. You need JavaScript enabled to view it..

    Users may view the suspected spam in the quarantine server and choose to delete them or release them.
    1. Daily Digest of Quarantined Emails
      The Digest of Quarantined Emails, as shown in Diagram C, is sent from email account "This email address is being protected from spambots. You need JavaScript enabled to view it.". It is a summary of suspected spam stored in quarantine server, which will be delivered to each user through email everyday.

      asav c 1
      (Diagram C)

    2. Access to Spam Quarantine Server
      Users can login the quarantine servers with email address in the format of This email address is being protected from spambots. You need JavaScript enabled to view it. at https://qs.cuhk.edu.hk to access suspected spam sent to email address of the format of This email address is being protected from spambots. You need JavaScript enabled to view it..

    3. Disposal of Suspected Spam
      Suspected spam can be viewed and then selected to be deleted or released as shown in Diagram D below.

      asav d 1
      (Diagram D)

      If a suspected spam is released, it will be routed through the Gateway again for virus scanning. All suspected spam in quarantine server will be deleted after 21 days.

     

    dummy image
    1. How Does the ASAV Gateway Detect Email Viruses?

    The anti-virus engine of the ASAV Gateway is the Sophos Anti-Virus. It uses various techniques including pattern matching, heuristics and emulation to detect viruses.

     

    dummy image
    1. How Does the ASAV Gateway Dispose of Email Viruses?

    When an email with a virus in it has been detected, the email will be discarded. Neither the sender nor the intended recipient will be notified.

     

    dummy image
    1. Security Issues

    Privacy is guaranteed in the process of scanning spam and virus by the ASAV Gateway. No user email will be inspected by human. User emails in the quarantine server are protected so that only the user may view his/her suspected spam.

     

    dummy image
    1. Where to Report False Positives and False Negatives?

    False positives are e-mails that are wrongly identified as spam while false negatives are spam that are regarded as normal e-mails. Users can submit information including e-mail header of the false positives or the false negatives to ITSC through the ITSC Service Desk.

    E-mails released by users from the quarantine server are not automatically reported as false positives.

     

    dummy image
    1. Other Features of the ASAV Gateway

    In addition to anti-spam and anti-virus main functions, the ASAV Gateway has many other important features including virus outbreak alert, content filtering, recipient validation, double-byte character sets support and etc.
    1. Virus Outbreak Filters (VOFs)
      Historically, as new viruses or variants hit the Internet, the most critical time period is the window of time between when the virus is released and when the anti-virus vendors release an updated virus definition. Having advanced notice, even a few hours, is vital to curbing the spread of malicious code. During that vulnerability window, a modern virus can propagate globally, bringing email infrastructure to a halt.
      Incorporated in the ASAV Gateway there are virus outbreak filters (VOFs) proactively provide a critical first layer of defense against new outbreaks. By detecting new outbreaks in real-time and dynamically responding to prevent suspicious traffic from entering the campus network, the VOFs offer protection until new virus signature updates are deployed.
      After a virus outbreak is identified, all messages related to the outbreak will be sent to the VOF outbreak quarantine area in the ASAV Gateway. The VOF outbreak quarantine is only a temporary holding area until new virus definitions have been created and the anti-virus software of ASAV Gateway updated. After the outbreak quarantine timeout period, i.e. 15 hours, the messages are released from the outbreak quarantine and run through the anti-virus filter again. (Refer to 10. References)

    2. Content Filtering
      The ASAV Gateway can create content filters to be applied to messages on a per-recipient or per-sender basis. Content filters are similar to message filters, except that they are applied after message filters processing and anti-spam and anti-virus scanning have been performed on a message. (Refer to 10. References).

    3. Recipient Validation
      Working with the existing LDAP infrastructure, the ASAV Gateway can validate a receiving email address. If a receiving email address is not valid, an error will be returned to the sender. The Gateway can also be configured to combat directory harvest attacks (DHA).

    4. Double-Byte Character Sets Support
      The ASAV Gateway supports double-byte character sets. Message filters can be created to scan the body or headers of messages that contain double-byte, variable length, or non-ASCII encodings such as Traditional Chinese (Big 5), Simplified Chinese (GB 2312), Simplified Chinese (HZ GB 2312), Korean (ISO 2022-KR), Japanese (ISO-2022-JP) and etc. This feature enables the ASAV Gateway identify spam and virus in languages other than English.

     

    dummy image
    1. FAQs

    1. Any way to retain the emails in the quarantine servers for a longer period?
      The default retention period for suspected spam in quarantine servers is 21 days. It is a global setting that cannot be changed for individual user. However, a user can make a special request to not storing suspected spam in the quarantine servers. In this case, the suspected spam after adding a prefix of "[spam 75-89]" or "[spam 90-100]" by the Gateway to its subject for easier identification, will be delivered directly to the inbox of the user's mailbox. Please write to ITSC Service Desk at http://servicedesk.itsc.cuhk.edu.hk.

    2. Can the ASAV Gateway send an alert message to sender of a "suspected spam" notifying him/her that the email has been moved to quarantine servers?
      Since the recipient will be notified through daily digest of quarantine spam, we choose not to send alert message to the sender. Furthermore, majority of spam is sent in forged email addresses, sending alert message will only cause nuisance to the owner of these email addresses.

    3. How long will it take for an email released from quarantine server to be delivered to one's mailbox?
      In a minute, it depends.

    4. Can I not receive the "Digest of the Quarantined Emails"?
      Sorry that the Anti-spam and Anti-virus gateway does not provide an option to allow individual user not receiving the spam digest.

    5. Will I still receive a digest if no spam is reported on that day?
      No, you won't.

    6. Will department mass mailings regarded as spam by ASAV Gateway?
      The ASAV Gateway should not identify department mass mailings as spam. However, if it does, please write to ITSC Service Desk at http://servicedesk.itsc.cuhk.edu.hk.

    7. Can the frequency of "Digest of Suspected Spam" be increased so that emails that are falsely identified as spam can be released sooner?
      The suspected spam quarantine servers are updated whenever there are spam identified. User can login the quarantine servers whenever they want to check for suspected spam quarantined without waiting for the daily digest of suspected spam.

    8. Can a CWEM user choose to opt-out of the anti-spam and anti-virus scheme entirely?
      The ASAV Gateway does not provide an opt-out choice for the anti-spam and anti-virus scheme entirely.