School of Medicine Spam Firewall at SFGH

• Introduction
• How spam blocking works
• How to view and retrieve blocked spam
• Your Quarantine Mailbox
• Setting preferences for your Quarantine Mailbox
• Spam Firewall FAQ's
• Customer Support
• Log in to Your Email Quarantine Inbox

Introduction

Computing & Network Services (CNS) replaced PureMessage anti-spam system with a Barracuda spam firewall appliance to block or quarantine spam email from being delivered to the inboxes of SOM Exchange users. This new spam firewall appliance provides the users ability to maintain personal white and black lists.

How spam blocking works

The SOM spam firewall appliance is designed to recognize and quarantine known and suspected spam messages. Messages from external email systems are evaluated for known spam patterns, known spam-originating sites, and suspicious words or phrases. Messages are evaluated and given a spam rating, and those designated as spam are quarantined and not delivered to SOM email inboxes. Once a day at 6:00AM, users receive a summary of messages that were addressed to them and quarantined. By following a link in this summary, users can view and retrieve quarantined messages. It is important to view the digest in a timely manner, as all quarantined emails are deleted after 21 days.

How to view and retrieve blocked spam

To view quarantined messages, either click on the link in the Spam Quarantine Summary email or using a web browser, go to https://sfghcuda.ucsf.edu/ and log on using your SOM domain logon ID and password. These are the same credentials you use when accessing email.

Your Quarantine Mailbox

Once you log in your Quarantine Mailbox will look similar to the following:

Setting preferences for your Quarantine Mailbox

The PREFERENCES tab in your Quarantine Mailbox will display the following:

Whitelist/Blacklist

Click on the “Preferences” tab to make changes to your spam detection settings. You will be taken to the Whitelist/Blacklist sub-tab. Here you can see what addresses are currently on each list. You can also add and delete addresses as necessary. Email addresses on the Whitelist will not be filtered regardless of the spam score, while email addresses on the Blacklist will always be filtered. For more information on what a Whitelist/Blacklist is, click on the “?” button.

Quarantine Settings

From the “Preferences” tab click on the “Spam Settings” sub-tab. Here you can enable or disable your user quarantine.

Note: Disabling the quarantine will allow all messages normally quarantined to be delivered to your inbox with the [QUAR] tag in the subject line.

Spam Firewall FAQ's (Frequently Asked Questions)

1. How is “spam” defined?
2. How often will I receive notice from the SOM Spam Firewall?
3. How do I get into my spam quarantine? Do I need a login and password?
4. What is the URL for my quarantine? Can I bookmark it or add it to my favorites?
5. If I change my email password does my spam quarantine password change?
6. I have tried my username and password but they don't seem to work, what should I do?
7. What is the “Whitelist” button on the quarantine INBOX?
8. Does the SOM spam firewall allow us to “blacklist” anyone?
9. How do I add spam that is getting past the Barracuda spam filter?
10. If I add an address to the “blacklist” in my preferences, what happens to mail from that address? Does it just disappear without delivery or notice, or does it get sent to quarantine where it can be looked at and discarded periodically?
11. Are there global “Blacklists” used by the SOM spam firewall?
12. My “whitelist” is not working properly. What could I have done wrong?
13. My “blacklist” is not working properly. What could I have done wrong?
14. I accidentally clicked “deliver” instead of “delete” in my quarantine. What happens?
15. I have over 4 pages of quarantined messages. Do I have to delete them, one at a time?
16. I will be out for one week. Do you mind if I don't update my quarantine until I get back?
17. What do I do with spam that makes it through? What process do I undergo to have the SOM spam firewall “learn” that a given message is spam?
18. I'm concerned that I am receiving some very offensive email. Is there any end in sight?
19. My last batch of Barracuda messages were all spam. I selected all the messages, and clicked “deliver” instead of “delete.” Not only did I have those messages delivered, but now it thinks that they aren't spam. What should I do?
20. How does the Barracuda service “score” my email and determine whether it is spam or not?
21. Do I need any local filtering, in addition to the Barracuda?
22. I've deleted something from my quarantine by mistake. Can you recover it?
23. Will I have deleted all the email that accumulated in my absence by deleting the most recent Barracuda email?
24. I have been away from the office. Do I have to open the Barracuda email from each day that I was gone, or are the messages cumulative so that I can view my quarantine in the most recent Barracuda email?
25. Would it be possible in the quarantine email to have it immediately jump to the web page when opened?
26. The “delete” link for my two spam messages is not active, so I am not able to delete them.
27. In my Barracuda quarantine, is there a way to view an email before deleting it?
28. I just spent a long time deleting a large amount of messages and now they're all back. I don't want any of them. What am I doing wrong?
29. I am receiving very strange emails. They are messages that are returned undeliverable, yet I haven't sent anything out to the particular addresses. Please advise.
30. How does the Barracuda handle emails that contain viruses?
31. How does the SOM spam firewall handle attachments?

1. How is “spam” defined?
   
   A. Unwanted email.
   
   
2. How often will I receive notice from the SOM Spam Firewall?
   
   A. You will receive a notice every day at 6AM if you have received any new spam since your last notice was sent.
   
   
3. How do I get into my spam quarantine? Do I need a login and password?
   
   A. The spam firewall service uses Windows Active Directory accounts to authenticate users and allow access to their spam quarantine. Click on the link in the UCSF Firewall message you receive and it will take you to your quarantine.
   
   
4. What is the URL for my quarantine? Can I bookmark it or add it to my favorites?
   
   A. It is located at: https://sfghcuda.ucsf.edu/
   You can bookmark or add this URL to your favorites list in your web browser, but you will be prompted for a login and password.
   Clicking on the link at the bottom of your daily email notice will take you directly into your quarantine inbox.
   
   
5. If I change my email password does my spam quarantine password change?
   
   A. Yes, they are one and the same.
   
   
6. I have tried my username and password but they don't seem to work, what should I do?
   
   A. Did you select the correct Domain? Are you using the same ID and password used for email? If you logon to a computer in the SOM domain, are you using those same credentials?
   
   
7. What is the “Whitelist” button on the quarantine INBOX?
   
   A. “Whitelisting” will allow future emails from a particular sender to be delivered to your INBOX, regardless of the content of the message. The next time the SOM spam firewall encounters that sender, the email will not be quarantined.
   
   Usage:
   
   
   • A newsletter that you receive typically scores high enough to “look like” spam to the filter and is routinely quarantined.
   • You have a partner, contact or associate that you need to guarantee the delivery of their messages, for instance, you receive legal notices that must be delivered.
   • In each case you “Whitelist” the sender and the SOM spam firewall will faithfully deliver the messages.
     
     
8. Does the SOM spam firewall allow us to “blacklist” anyone?
   
   A. “Blacklisting” will cause future emails from a particular sender to be blocked from delivery to your INBOX, regardless of the content of the message.
   
   To “Blacklist” a sender, from within your Barracuda quarantine:
   
   
   1. Click on your “Preferences” tab.
   2. Click “ Whitelist/Blacklist.”
   3. Under the heading “Blocked Email Addresses and Domains,” type in the address you wish to block.
   4. Click the “Add” button.
      
      Note: Blocked email addresses are NOT delivered to your quarantine or your INBOX.
      
      
9. How do I add spam that is getting past the Barracuda spam filter?
   
   A. You can “Blacklist” a specific sender, but because most spam senders change the sender information, it is best to wait a day or two until the Barracuda service “learns” that it is spam and quarantines it accordingly.
   
   
10. If I add an address to the “blacklist” in my preferences, what happens to mail from that address? Does it just disappear without delivery or notice, or does it get sent to quarantine where it can be looked at and discarded periodically?
    
    A. “Blacklisting” completely blocks the sender; no message is quarantined and no notification is sent to the sender or intended recipient.
    
    
11. Are there global “Blacklists” used by the SOM spam firewall?
    
    A. Yes, but only the most egregious sites are blocked by the Barracuda service. Here is a complete list of Common External Blacklists.
    
    
12. My “whitelist” is not working properly. What could I have done wrong?
    
    A. Some list mailers use serialized addresses when sending messages. When you try to “whitelist/blacklist” an address and it doesn't seem to be working properly you can do the following:
    
    To “whitelist” a domain:
    
    
    1. Inside the Barracuda quarantine, click on “Preferences,” then choose “Whitelist/Blacklist.”
    2. In the textbox for allowed addresses enter: protecteddomain.com then click “Add.”
    3. Clean out the other entries that have to do with the domain you just entered.
       
       Here are some examples of serialized addresses:
       
       Port_Alert.ue.d35820.139458776@ixsl.net
       Dairy_Alert.ue.934787.x40687577@ixsl.net
       Drovers_Alert.ue.g35385.140295192@ixsl.net
       
       
13. My “blacklist” is not working properly. What could I have done wrong?
    
    A. Some list mailers use serialized addresses when sending messages. When you try to “whitelist/blacklist” an address and it doesn't seem to be working properly you can do the following:
    
    To “Blacklist” a domain:
    
    
    1. Inside the Barracuda quarantine, click on “Preferences,” then choose “Whitelist/Blacklist.”
    2. In the textbox for denied addresses enter: “baddomain.com” of the sending domain that you want to block, then click “Add.”
       
       
14. I accidentally clicked “deliver” instead of “delete” in my quarantine. What happens?
    
    A. No problem. Future email will continue to get scanned. And if you accidentally click “Whitelist,” you can go into your “Preferences” and click on “Whitelist/Blacklist” then delete all the “Whitelist” entries that got there accidentally.
    
    
15. I have over 4 pages of quarantined messages. Do I have to delete them, one at a time?
    
    A. No. Next to the “Date” column heading is a checkbox that will check all the messages on the viewable page. You can then select “Deliver,” “Whitelist” or “Delete.” If you have multiple pages of spam, you will need to click this checkbox on each page of your quarantine to select all items for your chosen action.
    
    
16. I will be out for one week. Do you mind if I don't update my quarantine until I get back?
    
    A. This should not present a problem but please note: there is an 21 day limit on your quarantine. When your quarantine has reached this limit, the oldest spam will be removed, and is NOT recoverable. Plan accordingly.
    
    You can decide to “opt out” of the SOM spam filtering service.
    
    
    1. Click on “Preferences” then choose “Spam Settings.”
    2. Next to “Enable Spam Filtering,” click on the radio button in front of “No.” If “no” is selected, messages that would ordinarily be quarantined will be delivered to your inbox.
    3. When you return from your vacation, you can opt back into the Barracuda spam filtering service by clicking the radio button in front of "Yes."
       
       
17. What do I do with spam that makes it through? What process do I undergo to have the SOM spam firewall “learn” that a given message is spam?
    
    A. The SOM spam firewall auto-updates spam definitions on a regular basis, working much like virus definitions. You may see some spam get through for a day or two before new definitions are learned by the SOM spam firewall.
    There will always be some messages that will get through the spam filter. We have tuned the Barracuda to catch as many as possible. You can continue to use filters in your email client to put these messages in the “trash.”
    
    
18. I'm concerned that I am receiving some very offensive email. Is there any end in sight?
    
    A. The SOM spam firewall will be our best defense, but even it won't be 100%. It looks like the desired solution for the University will be a quarantining situation and not one where SOM “blocks” any but the most egregious email. In this way, each individual customer gets to tailor the spam filtering settings to the level appropriate for them.
    
    For many, the SOM spam firewall catches only the messages that should have been caught, but because of the heterogeneous nature of email, we cannot make the spam filtering service more stringent. Given the nature of UCSF's mission this would risk catching many valid messages necessary to the performance of our duties.
    
    
19. My last batch of Barracuda messages were all spam. I selected all the messages, and clicked “deliver” instead of “delete.” Not only did I have those messages delivered, but now it thinks that they aren't spam. What should I do?
    
    A. You will need to delete those messages yourself, but your actions will not affect the Bayesian method of spam categorization used by the SOM spam firewall to recognize spam.
    
    
20. How does the Barracuda service “score” my email and determine whether it is spam or not?
    
    A. The Barracuda score appears in the Header information of the email, not in the Subject line.
    
    Our current scoring goes like this:
    
    
    • 0 - 1.99: Not spam ---> Delivered
    • 2 - 2.99: Likely spam so tag the subject line [Spam] ---> Delivered
    • 3 - 10: Positively spam ---> Quarantined
      
      Here is a sample of the Barracuda header information:
      
      X-Barracuda-Spam-Score: -4.3
      X-Barracuda-Spam-Status: No, SCORE=-4.3 using global scores of TAG_LEVEL=5.1 QUARANTINE_LEVEL=5.0 KILL_LEVEL=1000.0 tests=BAYES_00, HTML_60_70, HTML_FONT_BIG, HTML_MESSAGE, NO_REAL_NAME
      X-Barracuda-Spam-Report: Code version 2.61 Rule breakdown below

      pts rule name description
      0.2 NO_REAL_NAME From: does not include a real name
      0.1 HTML_60_70 BODY: Message is 60% to 70% HTML
      0.1 HTML_MESSAGE BODY: HTML included in message
      0.3 HTML_FONT_BIG BODY: HTML has a big font
      -4.9 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.0000]
      

21. Do I need any local filtering, in addition to the Barracuda?
    
    A. No, you do not need local filtering. But you may need to modify your filters to allow the Barracuda spam notification to work properly.
    
    
22. I've deleted something from my quarantine by mistake. Can you recover it?
    
    A. No. Once you delete the item, it's gone. You may need to contact the sender.
    
    
23. Will I have deleted all the email that accumulated in my absence by deleting the most recent Barracuda email?
    
    A. Deleting the email quarantine notice will NOT delete the email that is in your quarantine. You must click on the link at the bottom of the email message and enter your quarantine in order to delete your spam.
    
    
24. I have been away from the office. Do I have to open the Barracuda email from each day that I was gone, or are the messages cumulative so that I can view my quarantine in the most recent Barracuda email?
    
    A. Yes, they are cumulative. You can select the link at the bottom of any message, where it says “Click Here,” and be taken into your full quarantine.
    
    
25. Would it be possible in the quarantine email to have it immediately jump to the web page when opened?
    
    A. No, you will need to click on the link inside the email message.
    
    
26. The “delete” link for my two spam messages is not active, so I am not able to delete them.
    
    A. Try the “click here” link at the bottom of the Barracuda email message to delete the spam items from within the quarantine.
    
    
27. In my Barracuda quarantine, is there a way to view an email before deleting it?
    
    A. You may have noticed that when your mouse scrolls over messages they highlight with a dark grey bar. Just click once on the “subject,” “date” or “from” fields and a preview window will open. This window will show you the header information and the first 5,000 bytes of the message in Plain Text format.
    
    
28. I just spent a long time deleting a large amount of messages and now they're all back. I don't want any of them. What am I doing wrong?
    
    A. The notification must have been generated around the time you were working on your quarantine. Check again, and those items should not appear.
    
    
29. I am receiving very strange emails. They are messages that are returned undeliverable, yet I haven't sent anything out to the particular addresses. Please advise.
    
    A. You should delete these items. They may contain viruses. If they are persistent, someone may be spoofing your email address, and you should contact customer support.
    
    
30. How does the Barracuda handle emails that contain viruses?
    
    A. Along with the Trend Micro virus program on the Exchange mail system, the SOM spam firewall provides another layer of virus checking. If identified as containing a virus, the SOM spam firewall blocks delivery of the email with a notice to the intended recipient. It is NOT quarantined.
    
    
31. How does the SOM spam firewall handle attachments?
    
    A. The Barracuda scans attachments and handles them as follows:
    
    
• If it contains a virus, the email is blocked from delivery.
• If it is NOT a virus, the email may be blocked or quarantined depending on the file extension.
  
  For additional information on blocked or quarantined extensions, contact customer support.

Customer Support

CNS customers who have questions about, or who are experiencing difficulty with the new spam firewall system, should contact Desktop Support at (415) 206-5126. Support hours are Monday – Friday, 8 a.m. to 5 p.m.

Revised: 5-21-2007