What is Detected?

E-mail leaving our network is categorized passively.  Automated systems categorize the e-mail, as it is seen leaving our network, into 4 different categories.  If the e-mail matches certain characteristics it may be classified as  Bulk, Suspected, or Confirmed Spam.  All other mail remains uncategorized.  No human ever reads these emails during this automated categorization process.  Heuristic methods of categorization based on patterns and signatures are used without the need for manual inspection by any person.  Only after an email is categorized as “Confirmed Spam” does it get saved for later inspection.  Uncategorized (not bulk, not suspected and not confirmed) email is never archived or recorded in any way, ever.


These are messages that are generally the same as a certain number of previous messages.  Sending Bulk email is not, in itself, a violation of any policies.  If these messages are proven to be unsolicited then they may be classified as Confirmed Spam later.


A snapshot, while keeping the data in the email private, is kept on record and compared to other Suspected emails to later be classified as Confirmed Not Spam or Confirmed Spam.  What causes an email to be Suspected cannot be divulged for security reasons.

Confirmed Spam

An email that is Confirmed Spam contains a multitude of characteristics that categorize it as such.  What causes an email to be categorized as Confirmed Spam cannot be divulged for security reasons.


Frequently Asked Questions?

Q: “But I’m not spamming!  Where are these coming from?”

Something on your server may be generating these emails.  The important parts of the e-mail to check out are the Received headers.  These reveal the path the e-mail took before it left your server.  They are in reverse chronological order (the most recent is listed first).  If you look at the last Received header in the email you’ll see where the email originated. Sometimes the last Received header is forged to shift blame or throw off the real method the email was sent.  If the last Received header contains an outside IP address but any other Received headers mention localhost or you can be pretty sure that the last Received header is forged and the email did originate from this server.

Some questions to ask yourself or your user(s) are:

  • Did someone relay this mail through your server?
  • Does a mail user have a weak password and it is being used without the user’s knowledge?
  • Is a user intentionally sending this mail?

Q: “These are spam messages sent to our server that are bouncing!”

Your server may be vulnerable to delivering spam mail by bouncing it back to an intentionally forged sender (backscatter).  This makes your server a tool in spam delivery.  There are many resources to help deal with this.  You should only send non-delivery notifications to your own users, anything else that can’t be rejected during the SMTP transaction and is later found to be undeliverable should be dealt with locally, don’t bounce it or your server becomes part of the problem.  A lot of spam mail is delivered by exploiting a server that sends backscatter.

More information on backscatter can be found at the following links:

  • http://www.dontbouncespam.org/
  • http://spamlinks.net/prevent-secure-backscatter.htm

More to be added.  [last updated 2011-03-16]