Happyserver.co.uk - Smile Online

HappyScan Virus and Spam Scanner

Our HappyScan service scans email to protect you against two kinds of undesirable message: spam and viruses. These services are optional and are subject to an extra charge depending upon your service agreement with us.

This page contains details of how the scanner works, including which email is scanned and how it is altered.

Please bear in mind that the email scanner is only a first line of defence. You should still run a virus scanner on your computer as there are ways of getting infected other than via email.


Our Anti-spam measures
This section gives details of the way HappyScan deals with identifying spam. There are no clear technical criteria for identifying spam. This is partly because no-one can agree on exactly what spam is. One way of characterizing it is the phrase "Unsolicited Bulk Email": this highlights the aspect of it that involves abuse of the network infrastructure, and there are technical measures that tackle it at that level. Another way of characterizing it is "Anything I Don't Like": this highlights the frequently offensive content of spam, and again it can be tackled using these features.

Because of this lack of clarity, HappyScan uses a mixture of techniques to reduce the amount of spam that users have to deal with: Trend Micro's Network Reputation Services, DNS blacklists and SpamAssassin.

Trend Micro's Network Reputation Services
We use the Network Reputation Services to block spam at source by validating IP addresses against a comprehensive and reliable reputation database. The ever-expanding database currently contains 1.6 billion IP addresses with reputation ratings based on spamming activity.

DNS blacklists
We use DNS blacklists to identify the IP addresses of computers on the Internet that we will not accept email from. There are a number of reasons that an IP address may be blacklisted: the computer may be misconfigured in such a way as to make it open to abuse by spammers; the address may be listed by its owner as one that should never send email; or the address may be allocated to an organization that is known to send spam.

There are a number of different DNS blacklists with varying policies about listing IP addresses, some of which are more aggressive than others. When rejecting email, we only use DNS blacklists that have a good reputation for not gratuitously listing legitimate IP addresses.

SpamAssassin
SpamAssassin is a system that performs a large number of tests on a message to decide if it is spam. These tests look at the content of the message, various technical details in its headers, and query databases on the Internet. Many of the tests identify features of the message that are common in spam and some of them identify non-spam features. Each test has an associated score which is positive for spam and negative for non-spam. The scores of all the tests that succeed are added together to produce an aggregate score for the message as a whole. The higher the score the more likely it is to be spam.

SpamAssassin's results are added to the message headers and those having a high enough score will be filtered into another mailbox. We take care in ensuring that the tests our system uses are always updated frequently, and custom Bayesian Filtering is used to improve the performance.


Our Anti-Virus Measures
Unlike spam, there are clear technical criteria for identifying viruses, since viruses target computers rather than people. This means that it is possible for us to filter out infected email centrally with less risk of losing legitimate email. The scanner filters email using commercial virus scanning software, and as a further level of protection it also filters attachments based on the name and type of the file they contain. This extra protection helps when there are delays getting a virus database update from the vendor, and it reduces the ways in which malicious email can trick users.

The details of the policy implemented by the virus filter are largely determined by the way the scanner works and by weaknesses in Internet email. The scanner looks at a message after it has been accepted by Happyserver, since this gives us better control over the load on the computers and makes them more resistant to attack. This means that we have two possible responses to an infected message: either return it to its sender, or make it safe before delivering it to its recipient. However there is no guarantee in Internet email that the apparent sender of a message really did send it, and email worms in particular frequently forge messages such that returning an infected message to its "sender" would incorrectly tell some innocent third party that they have a virus infection. Therefore the virus filter will alter email to remove viruses before sending the messages on to their recipients, as described below.

The most common and troublesome kind of viruses that the scanner aims to stop are "worms" that target weaknesses in Microsoft Outlook etc. and propagate automatically via email. These worms are never attached to legitimate email so it makes no sense to deliver their messages after disinfection. Therefore we maintain a list of known email worms which the virus filter discards without informing either the (forged) sender or the recipient.

Anti-Virus Policy
If a message contains a virus-infected attachment that can be disinfected by the virus scanner then it will be. The recipient will receive everything that was sent, plus a virus warning.
If it cannot be disinfected then the attachment will be replaced by some advisory text that explains the problem.
Similarly, if the attachment has a dangerous file type or name it will also be replaced by advisory text. Dangerous file types include executable programs. Dangerous file names include those that are too long or which contain too much punctuation or white space.
Partial messages and messages with external bodies are also forbidden, because the scanner is unable to obtain all the content of the message at once so that viruses can be correctly identified.
If the message is generated by a known worm on the list maintained by us, it will be deleted without informing anyone.
The first two cases above should be rare if you and your correspondents keep your anti-virus software up-to-date, though they may also be caused by a new worm that hasn't yet been put on the delete list. If the message is legitimate (which a human can decide in a way that software cannot) then the recipient should inform the sender that they have a virus problem.

If you want to send a message containing a dangerous file, you can avoid the file type and name restrictions by putting it in a zip file before sending. Note that the virus scanner can look for viruses inside zip files and other types of archive, but the file type and name restrictions only apply to the outer wrapping of the attachment.


How HappyScan alters your email

Scanner headers
The email scanner adds some headers to each message that passes through, containing some information about what the scanner found. You can see them by viewing the full headers of the message. If a message is scanned more than once (e.g. because it has been re-sent) then it will have more than one set of scanner headers.

Each of the headers starts X-HappyScan-. The X- indicates that this is a non-standard header. The -HappyScan- is to distinguish our scanner from other email scanners which may scan the message.

The X-HappyScan-Information: header contains the URL of this web page, so that people can find out the operational details of the scanner without needing to know anything about HappyScan or HappyServer.

The X-HappyScan-VirusCheck: header summarizes the findings of the virus scanner. It may say "Disinfected" if a virus was found and successfully removed leaving the uninfected attachment intact; or "Infected" if a virus was found and the attachment was removed because it could not be disinfected, or if an attachment had a dangerous file name or file type; or it may say "No Virus Detected" if the message passed the virus filter OK.

The X-HappyScan-SpamCheck: header contains the results of the spam scanner. It will say "Not scanned" if the message comes from within the University; otherwise it will look something like this:

X-HappyScan-SpamCheck: not spam, SpamAssassin (score=-4.7, required 5, AWL 0.00, BAYES_00 -4.90, HTML_MESSAGE 0.10, RCVD_IN_SORBS 0.10)
The text in the brackets includes the overall score assigned to the message by SpamAssassin, and the list of tests that the message matched with the score for each test.

If the message has a spam score greater than one, a fourth header is added. The X-HappyScan-SpamScore: header contains a sequence of "*" characters equal in length to the message's score rounded down to a whole number, e.g. ***** for a score of 5.2.

Bodies and attachments
When the anti-virus filter alters an email it does the following things:
It replaces the problematic attachment with some advisory text, and discards the original;
It adds a warning to the body of the message, which refers to the replacement attachment;
It adds a tag to the Subject: line to mark that the message has been filtered.
We do not keep the original attachment for a number of reasons, as follows. If it contains a virus it is too dangerous to keep. If it had a dangerous file name or file type, the original sender should still have a copy and can re-send it in a zip file so we do not need to keep a copy as well. There are also questions about the legality of intercepting messages, i.e. keeping a copy of them, which do not arise when messages are mechanically altered.

The advisory text in the replacement attachment includes a link to a web page which explains more about what the recipient should do about the filtered message. There are a few different versions depending on why the message was filtered: for disinfected viruses, for deleted viruses, and for dangerous file names and file types.