Email Security and Filtering

Overview

OIT servers regularly process more than 10 million incoming email messages per day. Using an extensive multi-tiered filtering solution, OIT is able to catch more than 75% of incoming messages categorized as spam or otherwise malicious messages. As part of this process, OIT servers scan messages for malicious content (URLs, viruses and certain file types) and remediate them.

URL Filtering

As of September 2017, OIT will be scanning messages for URLs with poor reputations in an effort to protect the campus from malicious web links. When suspect or malicious URLs are found, you will either recieve a warning heading in the email or a notification webpage when you click a link.

Email Heading Notifications

If the campus servers determine a URL is malicious, the URL will be removed from the message and a warning heading added to the email similar to this:

Malicious URL Notification

In other instances, if the campus servers are unable to definitively determine if a URL is malicious, it may still be considered suspect and routed through Cisco, an external security service, for further evaluation. If Cisco finds malicious activity, the URL may be rewritten and you will receive a notice when attempting to click the URL:

Outbreak Filters 

Starting April 2018, Outbreak Filters will be enabled for all campus email accounts. Outbreak filters perform a threat assessment of inbound and outbound messages and temporarily quarantine suspicious messages. Once outbreak rules from security vendors are received, messages are automatically released to the recipient. Users may notice a slight time delay when receiving messages that have been quarantined, but otherwise should not expect any disruption. 

The maximum delay users may see are as follows: 

  • Suspect messages without attachments: May be quarantined for up to 1 hour before delivery. Suspicious messages proven to be malicious will not be delivered.
  • Suspect messages with attachments that may be viruses:  May be quarantined for up to 1 day before delivery. Suspect messages proven to have attached viruses will not be delivered.

It is possible that some messages remain suspicious when released from quarantine yet do not rise to a level deemed an outright threat. In these cases, emails will have “[SUSPICIOUS MESSAGE]” added to the beginning of the subject line (this process is similar to what happens with messages identified as “[POTENTIAL SPAM]”). In most cases, messages labeled “[SUSPICIOUS MESSAGE]” are considered spam by most people. In the cases of false positives, the sending address may be added to the campus safe list.

Allow list

When a website is malicious or has been compromised, it will likely be blocked by the new filtering measures. To reduce the incidence of false positives, OIT has proactively added websites that are commonly referenced in communication from our campus to the allow list. If you have questions or find a URL that is being blocked but has a legitimate business function for our campus, please contact the IT Service Center at oithelp@colorado.edu or at 303-735-4357 for assistance.

Features

  • OIT's email filtering solution is able to determine the level of likelihood that an incoming message is spam.
  • Messages with a mid-range spam filter score are flagged as "POTENTIAL SPAM" in the subject line of the message, which allows you to set up a filter to keep these messages from ending up in your inbox.
  • Messages with a very high spam filter score are blocked entirely from reaching your inbox.
  • Messages carrying viruses are blocked prior to delivery.
  • Messages with attachments that are considered a threat will have the attachments removed and a notice inserted prior to delivery.
  • URLs (commonly known as web links) are scanned for poor reputation and removed or tagged for further evaluation as needed. (Enabled 09/18/2017)

Cisco Email Reporting Plug-in for Outlook for Windows 2016 and 2013

The Cisco Email Reporting Plug-in enables Outlook for Windows users to submit feedback to Cisco about unsolicited and unwanted email messages, such as spam, viruses, phishing, and marketing messages. Cisco uses this feedback to update its filters to stop unwanted messages from being delivered to your inbox.

You can also report false positives, which are legitimate email messages that are marked as spam, to Cisco by using the Not Spam button. Cisco uses reports about false positives to adjust its spam filters to avoid misclassifying legitimate email in the future. Any valid email can be reported as Not Spam and will help to increase filter efficacy.

This plug-in provides a convenient interface that enables you to submit feedback by using toolbar buttons and right-click context menus. When you report a message, a dialog box appears indicating that the message was submitted. The message data that you submit is used by automated systems to improve the Cisco filters. By submitting message data, you help to reduce the volume of unsolicited email in your inbox.

If you would like to have this plug-in installed, call the IT Service Center (303-735-4357 or 5-HELP from an on-campus phone), or email oithelp@colorado.edu.

Antivirus

Many virus-infected emails will be captured before they are sent out from campus or before they are delivered to your email account, however, all email users must still be vigilant to limit the spread of viruses. OIT recommends several antivirus solutions for CU Boulder faculty, staff, student staff, and students. Visit the Antivirus page for for detailed information regarding CU Boulder's recommended antivirus solutions and to choose the solution that best fits your needs and specifications.