HappyScan Virus and Spam Scanner
Our HappyScan service scans email to protect you against two kinds
of undesirable message: spam and viruses. These services are optional and are
subject to an extra charge depending upon your service agreement with us.
This page contains details of how the scanner works, including which email
is scanned and how it is altered.
Please bear in mind that the email scanner is only a first line of defence.
You should still run a virus scanner on your computer as there are ways of getting
infected other than via email.
Our Anti-spam measures
This section gives details of the way HappyScan deals with identifying spam.
There are no clear technical criteria for identifying spam. This is partly because
no-one can agree on exactly what spam is. One way of characterizing it is the
phrase "Unsolicited Bulk Email": this highlights the aspect of it
that involves abuse of the network infrastructure, and there are technical measures
that tackle it at that level. Another way of characterizing it is "Anything
I Don't Like": this highlights the frequently offensive content of spam,
and again it can be tackled using these features.
Because of this lack of clarity, HappyScan uses a mixture of techniques to
reduce the amount of spam that users have to deal with: Trend Micro's
Network Reputation Services, DNS blacklists and SpamAssassin.
Trend Micro's Network Reputation Services
We use the Network Reputation Services to block spam at
source by validating IP addresses against a
comprehensive and reliable reputation database. The ever-expanding database currently
contains 1.6 billion IP addresses with reputation ratings based on
We use DNS blacklists to identify the IP addresses of computers on
the Internet that we will not accept email from. There are a number of reasons
that an IP address may be blacklisted: the computer may be misconfigured in
such a way as to make it open to abuse by spammers; the address may be listed
by its owner as one that should never send email; or the address may be allocated
to an organization that is known to send spam.
There are a number of different DNS blacklists with varying policies about
listing IP addresses, some of which are more aggressive than others. When rejecting
email, we only use DNS blacklists that have a good reputation for not gratuitously
listing legitimate IP addresses.
SpamAssassin is a system that performs a large number of tests on a message
to decide if it is spam. These tests look at the content of the message, various
technical details in its headers, and query databases on the Internet. Many
of the tests identify features of the message that are common in spam and some
of them identify non-spam features. Each test has an associated score which
is positive for spam and negative for non-spam. The scores of all the tests
that succeed are added together to produce an aggregate score for the message
as a whole. The higher the score the more likely it is to be spam.
SpamAssassin's results are added to the message headers and those having a
high enough score will be filtered into another mailbox. We take care in ensuring
that the tests our system uses are always updated frequently, and custom Bayesian
Filtering is used to improve the performance.
Our Anti-Virus Measures
Unlike spam, there are clear technical criteria for identifying viruses, since
viruses target computers rather than people. This means that it is possible
for us to filter out infected email centrally with less risk of losing legitimate
email. The scanner filters email using commercial virus scanning software, and
as a further level of protection it also filters attachments based on the name
and type of the file they contain. This extra protection helps when there are
delays getting a virus database update from the vendor, and it reduces the ways
in which malicious email can trick users.
The details of the policy implemented by the virus filter are largely determined
by the way the scanner works and by weaknesses in Internet email. The scanner
looks at a message after it has been accepted by Happyserver, since this gives
us better control over the load on the computers and makes them more resistant
to attack. This means that we have two possible responses to an infected message:
either return it to its sender, or make it safe before delivering it to its
recipient. However there is no guarantee in Internet email that the apparent
sender of a message really did send it, and email worms in particular frequently
forge messages such that returning an infected message to its "sender"
would incorrectly tell some innocent third party that they have a virus infection.
Therefore the virus filter will alter email to remove viruses before sending
the messages on to their recipients, as described below.
The most common and troublesome kind of viruses that the scanner aims to stop
are "worms" that target weaknesses in Microsoft Outlook etc. and propagate
automatically via email. These worms are never attached to legitimate email
so it makes no sense to deliver their messages after disinfection. Therefore
we maintain a list of known email worms which the virus filter discards without
informing either the (forged) sender or the recipient.
If a message contains a virus-infected attachment that can be disinfected by
the virus scanner then it will be. The recipient will receive everything that
was sent, plus a virus warning.
If it cannot be disinfected then the attachment will be replaced by some advisory
text that explains the problem.
Similarly, if the attachment has a dangerous file type or name it will also
be replaced by advisory text. Dangerous file types include executable programs.
Dangerous file names include those that are too long or which contain too much
punctuation or white space.
Partial messages and messages with external bodies are also forbidden, because
the scanner is unable to obtain all the content of the message at once so that
viruses can be correctly identified.
If the message is generated by a known worm on the list maintained by us, it
will be deleted without informing anyone.
The first two cases above should be rare if you and your correspondents keep
your anti-virus software up-to-date, though they may also be caused by a new
worm that hasn't yet been put on the delete list. If the message is legitimate
(which a human can decide in a way that software cannot) then the recipient
should inform the sender that they have a virus problem.
If you want to send a message containing a dangerous file, you can avoid the
file type and name restrictions by putting it in a zip file before sending.
Note that the virus scanner can look for viruses inside zip files and other
types of archive, but the file type and name restrictions only apply to the
outer wrapping of the attachment.
How HappyScan alters your email
The email scanner adds some headers to each message that passes through, containing
some information about what the scanner found. You can see them by viewing the
full headers of the message. If a message is scanned more than once (e.g. because
it has been re-sent) then it will have more than one set of scanner headers.
Each of the headers starts X-HappyScan-. The X- indicates that this is a non-standard
header. The -HappyScan- is to distinguish our scanner from other email scanners
which may scan the message.
The X-HappyScan-Information: header contains the URL of this web page, so that
people can find out the operational details of the scanner without needing to
know anything about HappyScan or HappyServer.
The X-HappyScan-VirusCheck: header summarizes the findings of the virus scanner.
It may say "Disinfected" if a virus was found and successfully removed
leaving the uninfected attachment intact; or "Infected" if a virus
was found and the attachment was removed because it could not be disinfected,
or if an attachment had a dangerous file name or file type; or it may say "No
Virus Detected" if the message passed the virus filter OK.
The X-HappyScan-SpamCheck: header contains the results of the spam scanner.
It will say "Not scanned" if the message comes from within the University;
otherwise it will look something like this:
X-HappyScan-SpamCheck: not spam, SpamAssassin (score=-4.7, required 5, AWL
0.00, BAYES_00 -4.90, HTML_MESSAGE 0.10, RCVD_IN_SORBS 0.10)
The text in the brackets includes the overall score assigned to the message
by SpamAssassin, and the list of tests that the message matched with the score
for each test.
If the message has a spam score greater than one, a fourth header is added.
The X-HappyScan-SpamScore: header contains a sequence of "*" characters
equal in length to the message's score rounded down to a whole number, e.g.
***** for a score of 5.2.
Bodies and attachments
When the anti-virus filter alters an email it does the following things:
It replaces the problematic attachment with some advisory text, and discards
It adds a warning to the body of the message, which refers to the replacement
It adds a tag to the Subject: line to mark that the message has been filtered.
We do not keep the original attachment for a number of reasons, as follows.
If it contains a virus it is too dangerous to keep. If it had a dangerous file
name or file type, the original sender should still have a copy and can re-send
it in a zip file so we do not need to keep a copy as well. There are also questions
about the legality of intercepting messages, i.e. keeping a copy of them, which
do not arise when messages are mechanically altered.
The advisory text in the replacement attachment includes a link to a web page
which explains more about what the recipient should do about the filtered message.
There are a few different versions depending on why the message was filtered:
for disinfected viruses, for deleted viruses, and for dangerous file names and