Anti-spam & Anti-virus (ASAV) Gateway (Retires on 13 Dec 2017)
The ASAV Gateway is an anti-spam and anti-virus solution implemented at network level by the ITSC for CUHK Webmail (Mailserv) users. With the University mail system switching from CUHK Webmail (Mailserv) to Office 365 Mail, Exchange Online Protection (EOP) has been in pilot run together with ASAV in protecting user emails from viruses and spam attack. Effective from 13 Dec 2017, EOP will be fully deployed and ASAV Gateway will be retired from protecting email service.
Below are the ASAV Gateway functions.
1. How Does the ASAV Gateway Identify Spam?
Identification of spam at the ASAV Gateway is performed by a two-layer approach of sender-based reputation filtering and content-based filtering of Ironport Anti-Spam.
Sender-based Reputation Filtering – By IP Addresses
Sender-based reputation filtering identifies spam based on the connecting IP address. It can block spam as soon as it reaches the Gateway. This increases the effectiveness of second layer content-based filtering. Sender-based reputation filtering can also protect mail systems from the attack of viruses and “hit and run” spam attacks that create sudden and unexpected spikes in message volume. (Refer to 10. References)
Content-based Filtering – By Ironport Anti-Spam
Content-based filtering of the ASAV Gateway is performed by Ironport Anti-Spam. It uses heuristics filters, URL filters, signature filters, header filters and many more types of filters to determine if an-email is a spam. (Refer to 10. References)
2. How Does the ASAV Gateway Dispose of Spam?
Spam identified by the ASAV Gateway is classified into two categories, i.e. positive spam and suspected spam.
Emails identified by sender-based reputation filtering as spam are classified as positive spam. When a positive spam is identified, either the connection between the sending computer and the gateway will be disconnected or an error message will send to the sending computer. In both cases, the gateway will not accept the emails.
Emails that identified as spam by content-based filtering are classified as suspected spam. Suspected spam will be moved to a quarantine server from which their recipients can retrieve and choose to release or delete.
3. How to Access Suspected Spam in Quarantine Server?
The ASAV Gateway has a quarantine server for storing suspected spam. Each user of the CWEM system has his/her own separate storage in the quarantine server for his/her suspected spam received at firstname.lastname@example.org.
Users may view the suspected spam in the quarantine server and choose to delete them or release them.
Daily Digest of Quarantined Emails
The Digest of Quarantined Emails, as shown in Diagram C, is sent from email account “DO-NOT-REPLY@qs.cuhk.edu.hk“. It is a summary of suspected spam stored in quarantine server, which will be delivered to each user through email everyday.
Disposal of Suspected Spam
Suspected spam can be viewed and then selected to be deleted or released as shown in Diagram D below.
If a suspected spam is released, it will be routed through the Gateway again for virus scanning. All suspected spam in quarantine server will be deleted after 21 days.
4. How Does the ASAV Gateway Detect Email Viruses?
The anti-virus engine of the ASAV Gateway is the Sophos Anti-Virus. It uses various techniques including pattern matching, heuristics and emulation to detect viruses.
5. How Does the ASAV Gateway Dispose of Email Viruses?
When an email with a virus in it has been detected, the email will be discarded. Neither the sender nor the intended recipient will be notified.
6. Security Issues
Privacy is guaranteed in the process of scanning spam and virus by the ASAV Gateway. No user email will be inspected by human. User emails in the quarantine server are protected so that only the user may view his/her suspected spam.
7. Where to Report False Positives and False Negatives?
False positives are e-mails that are wrongly identified as spam while false negatives are spam that are regarded as normal e-mails. Users can submit information including e-mail header of the false positives or the false negatives to ITSC through the ITSC Service Desk.
E-mails released by users from the quarantine server are not automatically reported as false positives.