Go to content

ETSIINF en Twitter ETSIINF en Facebook
Inicio > Services > Electronic mail > Virus and spam filtering

Virus and spam filtering

  1. Objectives
  2. E-mail abuse
    1. Introduction
    2. Types of abuse
    3. Problems caused by abuse
    4. Policies implemented to prevent abuse
  3. How to use the services
  4. Service description
    1. Tools
    2. Virus filter
    3. Spam filter
  5. User profiles
  6. Reporting false positives or negatives
  7. Analysed e-mail logs and statistics


E-mail abuse

The e-mail analysis run by efiltro can prevent two of the key forms of abuse that are spread via electronic mail : viruses and spam.

The RedIRIS web site means to raise awareness about the problems caused by such abusive activities within the higher education community.


We define electronic mail abuse as a collection of activities that do not pursue the usual ends of an e-mail service and directly or indirectly cause harm to e-mail users. Some of the terms usually associated on the Internet with these types of abuse are spamming, mail bombing, unsolicited bulk e-mail (UBE), unsolicited commercial e-mail (UCE), junk mail, etc. They are distributed in a wide variety of ways.

The most prominent type of electronic mail abuse is known as spam. Spam is a term applied to messages indiscriminately distributed to a huge number of recipients. In most cases, the sender of these messages is unknown, and it is impossible to reply to the sender in the usual manner or even identify a valid reply address.

Types of abuse

The activities classed as electronic mail abuse can be divided into four major groups:

Content of an illegal nature (anything that is  party to criminal activities). Examples are defence of terrorism, software piracy, child pornography, threats, fraud, pyramid schemes, viruses or any sort of hostile code... More information about these issues is to be found in the field of legal information. Improper content in a discussion forum. The forum moderator, if any, or alternatively the forum administrator or owner or even the forum users can define what is admissible before it is set up (e.g. by simple majority of a mailing list).
Unauthorized use of someone else's mailbox to forward your own mail. Even if the message itself is legitimate, you are using someone else's resources without their consent (there is no objection to a registered public mailbox being used).
Use of your own or someone else's mailboxes to send bulk advertising or any other type of unsolicited mail is considered improper for several reasons, but mainly because the advertisers pass the costs of their advertising operations on to relayers or recipients no matter whether or not they agree to this.
Addressed to a user or the actual mail system. In both cases, the attack consists of sending a huge number of messages per second with the aim of saturating the lines, server CPU capacity or server or user disk space and ultimately bringing the service to a standstill. This can be viewed as an inversion of the concept of bulk distribution (1->n) in that it is an n->1 attack.
These attacks are known as e-mail bombing and are a particular case of denial of service (DoS). 
List linking is a version of e-mail bombing, where the victim is automatically subscribed to thousands of mailing lists. Because these attacks come from more than one address, they are much harder to deal with.

Problems caused by abuse

E-mail abuse has two effects on users: financial costs and social costs. Another point worth considering is all the time that is wasted on their account. This can be viewed as an indirect economic cost.
To get an idea of the economic magnitude problem and the minimum percentage charged to the sender all you have to do is multiply the cost of sending a message to a recipient by millions of distributed messages. Apart from the nuisance or offence caused by some contents, the social costs of e-mail abuse include the relinquishment of the right to publish your own address on media like News or the Web for fear of it being captured.
The recipient and router operators also share the costs: processing time, disk space, bandwidth and especially staff overtime to solve problems in overflow situations.

Policies implemented to prevent abuse

Executable files that reach user computers via e-mail pose a major threat to the integrity of the information they store, especially taking into account that most viruses now falsify the sender's address. This they collect from the infected computer's address book, and an infected message can in actual fact come from an apparently trustworthy source.

Any infected message that is detected will be rejected, and a notification sent to the recipient if the recipient is a member of any Facultad de Informática domain (local recipient). Bearing in mind the above, the sender will not be warned.

A similar default policy is applied in the event of the reception of non-infected executable files (.exe, .vbs, .pif, .scr, .bat and .com), although the sender will in this case receive a rejection notification. If necessary, users can set up a personal profile for prohibited attachments containing an alternative action.

It is not as clear what to do about e-mail identified as spam. Despite the above inconvenience, some users may want to receive such messages. Also, there is a slight risk of  legitimate messages being deleted if a rejection policy is applied.
For this reason, any message identified as spam will be marked and delivered to its recipient. Users can then set up their mail client to deal with the identified spam message.
After verifying the efficiency of the spam filter, users will have the option of define a personal rejection profile to prevent the spam reaching their computers. No notification will be generated in this case.

How to use these services

The e-mail domain administrators within the .fi.upm.es hierarchy can apply to the Computer Centre  to have the mail they manage analysed before delivery to detect possible viruses and spam in the messages of the users of their respective domains. To do this, they should send a message to filtro.correo@fi.upm.es.

It is up to the administrators to decide whether the same policy will be applied to all their users or whether users can define personal profiles on the filters to be applied.

Service description


Open source software, like Gnu Linux, Postfix, Amavisd-new, SpamAssassin, DSPAM, Razor, DCC and MySQL and Clam Antivirus, was used  to set up the mail filter service.




Clam AntiVirus

Virus filter

All messages are analysed to detect attachments containing viruses. If there is a positive, the following actions are taken:

The filter for prohibited attachment extensions follows a similar default policy. Users can change this default policy by defining a personal profile for prohibited attachments.

Actions to be taken against prohibited attachments (extensions .exe, .vbs, .pif, .scr, .bat and .com):

Spam filter

The default policy is to analyse and mark the message. Users can define a more aggressive policy using a personal anti-spam profile.

Actions to be taken after a positive spam analysis:

User profiles

Users can change some aspects of the default policy applied to the messages addressed to them. To do this, they will need permission from the administrator of their e-mail address domain.

The mechanism is as follows:

Requests have a one-day activation period and cannot be reused.

Reporting false positives or negatives

The spam filter runs a Bayesian probability analysis on the message to detect how similar it is to other messages previously and correctly catalogued as spam. For each of these messages an element is saved in the learned tokens database.

The behaviour of this component needs to be refined to get it to return a fairly reliable probability. All users are welcome to send in wrongly identified messages (make sure, though, that you send them as attachments to another message) to the following addresses:

The messages will be used to feed the continuous learning process of the Bayesian database and will then be removed.

Analysed e-mail logs and statistics

The logs generated by the efiltro.fi.upm.es server during the mail analysis process will be stored for at least a year.

They will record the sender and recipient addresses, size, positive tests and viruses found in the messages.

Additionally, on the grounds of operational requirements, administrator notifications could occasionally be activated. In this case, the message headers will also be recorded.

These logs will be used to generate the following statistics.

These statistics are freely accessible within the Facultad de Informática environment.

Computer Centre