E-mail and Anti-Spam - FAQ

Last Updated: 01/10/2018

General FAQ

Are there laws governing spam?

Yes. The CAN-SPAM Act of 2003: Requirements for Commercial Emailers. More information can be found at: www.ftc.gov/bcp/conline/pubs/buspubs/canspam.htm .

Does CU sell email addresses?

No, CU Boulder does not sell email addresses. Recognized departments and affiliates are permitted access to the CU Boulder Today and Administrative E-memo services when they have large numbers of email to send to faculty, students, and staff.

Should I click unsubscribe when I get a spam message?

No, it's best to delete messages. Clicking an unsubscribe link may confirm to the spammer that your email address is working and is being used actively. Such 'live' email addresses are valuable and can be resold to other spammers, resulting in even more spam sent to you.

Should I file a complaint about spam to OIT?

Very little spam actually originates at CU Boulder, though it often appears otherwise. Unless you view full headers, you can't tell where it came from. Even with full headers, it can be difficult to track the actual path the message took to get here. If you are sure the spam originated at CU Boulder, file a complaint by forwarding it with full headers to help@colorado.edu.

What are full headers?

All email messages have heading information that indicates how they got from the sender to you. Typically, you see only a few header lines - To:, From:, and Subject:. These header lines are unreliable because they can easily be forged (a result of the open standards used for email on the Internet). To track down the point of origin of a message, you need to view all of the headers - what we call "full headers."

What is spam?

The word spam is derived from a skit performed by the Monty Python comedy group. Its use today refers to unsolicited, commercial email. OIT mail servers process more than 10 million incoming email messages on a typical day. It is estimated that as much as 75 percent of these messages are spam. Add to that a growing number of viruses and you begin to understand the scope of the problems that unchecked email could pose to a network like CU Boulder's.

What should I do with the spam messages I receive?

We recommend you delete the message and empty your deleted items folder periodically to reclaim space consumed by deleted messages. For all faculty, staff, and students who use Gmail or Exchange Online, you can create filters in your email client.

Also, resist the temptation to respond to it or to visit a web site that claims you can be unsubscribed. Often those are decoys used to determine whether your address is valid. Once you acknowledge to a spammer that your account is active, the address becomes much more valuable and may be resold to other spammers. Spammers often falsely claim that you have requested to be on their list. Responding to such claims confirms the validity of your email and makes it likely you will receive even more unwanted email. Legitimate businesses will recognize and honor list removal requests, but it's not always easy to determine whether a business has such integrity.

If you feel a message is threatening, contact the appropriate law enforcement agency immediately. If a message appears to be fraudulent, contact the Federal Trade Commission.

If the message originated at CU Boulder, it should be forwarded to help@colorado.edu for investigation. However, be aware that most return addresses are forged, and what appears to originate here may have come from somewhere else. Please verify through reading the full email headers where the email came from before forwarding to abuse. For information on deciphering email headers, contact your departmental IT Liaison. Use the List of Campus IT Practitioners & IT Communications Liaisons if you do not know who your Liaison is.

Why is there so much spam?

The amount of unwanted commercial email continues to increase at an exponential rate, since sending bulk email is a cheap and easy way to market a product or promote a scam. Many Internet service providers, especially those outside the U.S., take few precautions to ensure they are not aiding in the spam process.

OIT Spam/Virus Blocking and Spam Filtering

Do I still need to use antivirus software?

Yes. The implementation of this new technology does not change the fact that all email users must still be vigilant to limit the spread of spam and viruses. If you haven't already done so, you should install antivirus.

How does OIT determine what messages are blocked or tagged as spam?

OIT scans incoming messages and uses an extensive collection of rules and reputation scoring to determine the likelihood that a message is spam. Based on this likelihood, messages are given an “SBRS” (SenderBase Reputation) score and an IronPort SPAM Score. For SBRS, the range is from 10 (likely a trustworthy sender) to -10 (apparent spammer). A score of “none” indicates that there was no information about the sender at the time the message was being processed.

For the IronPort SPAM score, the range is 0-100. Email scored between 0-49 are considered “clean” and are delivered without alteration. Messages scored between 50-90 are considered “suspect” and are tagged with POTENTIAL-SPAM in the subject line. Messages with a score of above 90 are considered positive SPAM and are not delivered.

If the message is flagged as "Potential Spam," and delivered to your email account, the scoring information will appear in the message header. To learn more about this click here.

How frequently do false positives occur?

Our testing shows fewer than 1% of messages are incorrectly flagged as spam. The risk of improperly flagging messages must be weighed against the loss of productivity, resources, and offensiveness of the flood of spam the campus experiences.

What are 'false negatives'?

False negatives are messages that you consider to be spam but which were not flagged as such. This occurs when the spam score associated with the message falls below the threshold and so it was not categorized as spam. If you would like to report a "false negative" see How to Report Spam page.

What are 'false positives'?

Messages incorrectly marked as spam are known as false positives. Some legitimate messages contain many of the characteristics of spam, such as common spam phrases or HTML tags. If enough of these spam-like attributes are found, the score for the message will have a score higher than 49. Messages scored between 50 and 90 will still be delivered to your email account and flagged as "Potential Spam." Messages cored higher than 90 will be blocked and not delivered to your email account. If a blocked message is found to be a "false postive," contact the IT Service Center within two days. OIT also recommends that you periodically review your email marked as "Potentital Spam," for false positives. You can also report "false positives" by following the directions on How to Report Spam page.

What do I do if a legitimate message was blocked?

If you are certain that a legitimate message was blocked and not delivered to your email account, contact the IT Service Center right away at 303-735-HELP (5-4357 from an on-campus phone). Please have the following information ready to provide the service agent:

  • From (who the message is from)
  • To (who the message is to)
  • Date
  • Time
  • Subject

If you contact the IT Service Center within three days of missing a legitimate email, there is a possibility that the message can be retrieved and delivered to you.

If legitimate message from that host continues to be blocked, call the IT Service Center 303-735-HELP (5-4357 from an on-campus phone) for further assistance.

What happens to messages that are infected with a virus?

Many virus infected emails will not be delivered to your email account. However, that does not change the fact that all email users must still be vigilant to limit the spread of spam and viruses. If you haven't already done so, you should install antivirus.

What is OIT doing about spam?

OIT uses an email filtering technology to process incoming email for spam and viruses for the CU Boulder campus. This technology can be described as a spam and virus firewall. Messages will be scored on a scale of -10-10 and again from 0-100. Any messages scored between 50 and 90 will be delivered to your email account, but marked as "Potential Spam." Messages scored above 90 will be blocked, and therefore not delivered to your email account. Learn more about marking potential spam.

How do I filter messages marked "Potential Spam" into a separate folder?

Filtering allows you to easily sort through incoming messages and separate them into other folders based on content, such as the sender and subject of the message. Most email clients support the customizable filters.

URL Filtering

Why do we need URL filtering at CU Boulder?

Email attacks have become one of the most common ways of compromising university user accounts, systems and data. And despite the university regularly conducting IT security awareness campaigns and warning against phishing, hundreds of university students, faculty and staff respond each time the Office of Information Security sends phony phishing messages as part of its proactive email phishing awareness campaign. URL scanning and rewriting for all email traffic has proven a highly effective strategy to reduce the incidence and impact from email phishing and malicious content attacks.

How does URL filtering work?

A: The URL filtering service works very similarly to the campus email anti-spam/anti-virus solution. Cisco maintains a database of known good and known bad URLs and domain names. For every email sent to a CU Boulder email address, the IronPort devices (the appliances that provide email routing, anti-spam, and anti-virus services to CU Boulder) scan the email content for anything that resembles a URL. If one is found, the URL is compared against the Cisco database. There are 3 possible reputation scoring outcomes:

  • Clean URL: IronPort recognizes the URL as safe and delivers the email to users without any modification.
  • Suspicious URLs: IronPort determines the URL reputation is either a) suspicious (known to have some issues, but not known to be malicious at the moment) or b) unknown (sites that Cisco has either never seen before or has seen so infrequently they do not have enough data to determine the website’s purpose). Suspicious and unknown URLs are rewritten to point to a secure web page for future analysis and possible access prevention.
  • Malicious URLs: If IronPort recognizes the URL as a known malicious site, the URL is completely removed before delivery.
How do URLs get classified as Clean?

Two methods exist for classifying a URL as “Clean” prior to delivery.

  • Cisco URL reputation tracking may indicate a URL is safe. This includes all commonly known and used websites including federal and state government websites, other higher education institutions, eCommerce websites, and any significantly large company website.
  • OIT maintains a list of “known good” websites commonly used for conducting CU Boulder business. For example, any link referencing any of the University of Colorado websites (*.colorado.edu, *.ucdenver.edu, *.uccs.edu or *.cu.edu) will always be treated as “clean” and never be rewritten. We have also added domains that have been approved as email delivery locations to the list of “known good” websites. We have also attempted to identify the external websites used for providing services to CU Boulder (e.g. *.qualtrics.com, *.salesforce.com, or *.zoom.us) and will add additional known “clean” URLs/domain names as needed.
How can I add a website to OIT's list of "known good" websites?

If you know of any external web URL used for conducting CU Boulder business and want to make sure it never has a rewritten URL, please contact the IT Service Center at help@colorado.edu or 303-735-4357 to help us update the list.

Why are some URLs rewritten as very long URLs?

The Cisco URL reputation database tracks websites over time to determine what, if any, risk they may pose. If a website has had issues with malicious content, Cisco will downgrade the reputation. URLs pointing to websites that have a suspicious reputation, or websites that have not been cataloged by Cisco, are rewritten by the IronPort appliances and therefore have a long URL that starts with http://secure-web.cisco.com. The very long URL is used to track every email message and the user it is sent to for reporting purposes; the length is due to generating a unique URL for the millions of messages delivered each day. Unfortunately there is no way for us to control these URLs as they are automatically produced by Cisco when it comes across a site that does not yet have a reputation.

Why are some URLs removed with a warning?

If the Cisco URL reputation database identifies a web link to a known malicious website, the URL is completely removed from the email message and replaced with the text “MALICIOUS URL REMOVED.” A heading is added to the top of the email message explaining the action:

What should I do if a URL is incorrectly blocked?

If you encounter a URL that is being blocked, but has a legitimate business function for our campus, please contact the IT Service Center at help@colorado.edu or 303-735-4357 to request a “Safe URL Exception.” The Messaging & Collaboration team will investigate the blocked URL and make a determination about its whitelisting status and follow up with the requestor.