Cal.net Internet Solutions -- Quality Internet Services Wherever You Are
Webmail Login Spam Filter Login Search
530-672-1078
Can-It / Users Guide

Chapter 2 - Trap Contents

The CanIt-PRO Spam Trap is a quarantine area in which CanIt-PRO holds messages that it thinks might be spam.

2.1 Viewing the Spam Trap

To view pending messages in the spam trap, click on the "Trap Contents" link. The pending messages screen will appear.

Figure 2.1: Pending Messages

 

2.1.1 Message Summary Display

The fields in the display have the following meanings:

Date is the date and time the message was first received.

Subject is the message subject.

Sender is the sender as specified in the SMTP dialog. Be aware that spammers can easily fake the sender address.

Relay is the SMTP relay host which transmitted the message. This is somewhat harder to fake than the sender address. Note that sometimes a message can be sent from more than one SMTP relay host. If that is the case, you need to look up the incident details (described later) to get a list of all the relay hosts.

Score is the spam score assigned by the spam-scanning rules. The higher the score, the more "spam like" the message appears. Any message scoring 5 or higher is held in the pending trap.

A message may be held even if it scores lower than 5. If this is the case, a "Hold Reason" will appear below the score. Possible hold reasons are:

HoldRelay You have asked CanIt-PRO to always hold messages from the sending relay.
HoldSender You have asked CanIt-PRO to always hold messages from the sender.
HoldDomain You have asked CanIt-PRO to always hold messages from the sender's domain.
HoldRBL The sending host is in a real-time blacklist, and you have asked CanIt-PRO to hold mail from hosts in the blacklist.
HoldVirus A virus was detected in the message, and you have asked CanIt-PRO to hold messages containing viruses.
HoldEXE Potentially executable content was detected in the message, and you have asked CanIt-PRO to hold such messages.
HoldMIME The message was held because of a MIME type rule.
HoldEXT The message was held because of a filename extension rule.

Status and Action shows the current status of the message, and lets you determine the fate of pending messages. This will be described more fully in Section 2.2 .

2.1.2 Sort Order

Normally, CanIt-PRO sorts messages in order of date received, with most recent messages first. You can click on the arrow near the "Score" column (for example) to sort by score. Click on the little up-arrow in a column to sort by that column in ascending order. Click on the down-arrow to sort in descending order. CanIt-PRO colors the little arrow corresponding to the current sort order red.

2.1.3 Message Body Display

To view the body of a particular message, click on the message subject. The first 8kB of the message body will be displayed.

2.1.4 Summary of Links

The Message Summary Display contains many hyperlinks. These links are as follows:

  • Click on the Date to display incident details
     
  • Click on the Subject to display the first 8kB of the message body. Note that some spammers try to hide messages by encoding them using Base64 encoding (a special encoding for transmitting binary data.) Click on "Base64-Decoded Message" at the top of the message display to decode the message. You can also click on "Strip HTML Tags" to more easily read the text of HTML messages.
     
  • The Sender entry is split over two lines. Click on the first line (user@) to open the Sender Action page. Click on the second line (domain.com ) to open the Domain Action page. Finally, click on the "W" to perform a WHOIS query on the domain.
     
  • The Relay entry is split over two lines. Click on the first line (the relay's IP address) to open the Host Action page. Click on the second line (the relay's host name, if resolvable) to open a WHOIS query on the relay's IP address.

2.2 Message Disposition

In the message summary display, any one-shot or pending message has an entry box for controlling the disposition of the message. The possible values for the action are:

Do Nothing - leave the status of the message as one-shot or pending for now.

Accept Message - mark the message as not-spam so it will be accepted the next time it is received.

Reject Message - mark the message as spam so it will be rejected.

Blacklist host - mark the message as spam and in addition, ban connections from the SMTP relay host (or hosts) which transmitted the message.

Whitelist host - mark the message as not-spam and in addition, do not hold any messages from the SMTP relay host (or hosts).

Blacklist sender - mark the message as spam and automatically reject any future messages from the sender.

Whitelist sender - mark the message as not-spam and automatically accept any future messages from the sender.

Blacklist domain - mark the message as spam and automatically reject any future messages from the domain. (The domain is everything after the @ in the sender's address.)

Whitelist domain - mark the message as not-spam and automatically accept any future messages from the domain.

Silently discard - silently discard the message. Neither the sender nor the recipient will receive notification that the message was lost. Do not use this option lightly; it is considered a serious breach of Internet etiquette to silently discard e-mail.

To set message dispositions, set the action boxes appropriately and then click on Submit Changes. A summary of the actions will appear. Note that if you set the Method for choosing spam-trap actions preference to "Checkbox", then instead of a drop-down list, you get a series of buttons like this:

Figure 2.2: Checkboxes

  • Select the red "X" to reject a message.
     
  • Select the green check mark to accept a message.
     
  • Select the question-mark to take no action.

2.2.1 Quick Spam Disposal

If your browser is JavaScript-enabled, then a line of buttons similar to Figure 2.2 appears after the word "All" near the top of the display. This lets you set all the action boxes on the page with one click:

  • Select the question-mark to set all action boxes to Do Nothing.
     
  • Select the red "X" to set all action boxes to Reject message.
     
  • Select the green check mark to set all action boxes to Accept message.

2.3 Incident Details

To view the details about a pending-message incident, click on the date of the particular message. The incident page appears.

Figure 2.3: Incident Page

The Incident page contains the following information:

 

2.3.1 Basic Details

Incident ID is an integer assigned to each incident. This ID is sent in the SMTP failure messages so you can trace down a spam incident.

Date is the date the message was first received.

Subject is the message subject. Click on the subject to see the message body.

Decoded Subject is a decoded version of the message subject. Sometimes e-mail programs encode the subject, making it unreadable. If this is the case, CanIt-PRO will decode the subject and display it.

Score is the spam-scanning score.

Status and Action is the incident status. It is one of the following:

  • New incident; only one transmission so far.
     
  • This incident is still open.
     
  • Message was not spam.
     
  • Message was spam.

Bayes Training tells you how the incident was trained in the Bayes database, and give you an option to change the training. Note that this line will not appear if the Bayes signature has expired from the database.

Freeze Status tells you whether or not the incident is frozen . See Section 4.7 on page 25 for details.

Resolution is the action that was taken to dispose of the incident. If the incident is still pending, you will have an opportunity to dispose of it here.

Resolved By is the user who resolved the incident. The special system-user * is used for unresolved incidents, expired one-shot messages and automatically-rejected messages.

Message Note is an area for you to add notes about the incident. If you approve an incident, the message note will be appended when the message is delivered.

2.3.2 Address Information

The host information table is a table with a row for each relay host which attempted to deliver the message. The table contains the time the host first attempted delivery, the envelope sender, the relay host IP address and host name, and the number of delivery attempts from that host. Click on the relay IP to open the Host Action page for that relay, or on the relay name to perform a WHOIS query.
The recipients table lists all of the recipients of the message.

2.3.3 History

The history table is a log of actions taken for this incident. This logs when the incident was opened, and when it was closed (and who closed it.) The columns in the history table are as follows:

  • Who : The user who performed the action. Actions performed by CanIt-PRO itself are marked with a user of *.
     
  • When : The date and time an action took place.
     
  • What: A description of the action.
     
  • CanIt Host : The host on which the action was performed. This column is likely of interest only to CanIt-PRO administrators.What : A description of the action.
     
  • Queue-ID : The Sendmail Queue-ID associated with the action. Again, this column is likely of interest only to CanIt-PRO administrators.

2.3.4 Spam Analysis Report

Finally, the spam analysis report is a list of spam-scanning rules which triggered, along with the weight assigned to each rule.

2.4 Viewing Other Messages

In addition to pending messages, you can view other messages in the trap by following these links:

One-Shot lets you see messages whose status is one-shot . (A one-shot message is a message that has been attempted only once by the sending relay. If a message remains in the "one-shot" state for more than a day or so, it is almost certainly spam.)

Pending shows messages whose status is pending.

Spam shows messages whose status is spam .

Non-Spam shows messages whose status is not-spam.

All shows all messages.

2.5 Viewing Specific Incidents

To view an incident given its incident ID, click on "Trap Contents" and then "Specific Incident". Type the incident ID and press Enter.

You can view another incident by typing its ID in the box and pressing Enter.

2.5.1 Annotating Messages

In the Incident ID display, you can set the disposition of an incident. You can also enter a message note in the Message Note box. For example, if you are unsure if a message is spam and wish to have it delivered to the recipient, you can add a note asking the recipient to call you if the message was spam. The message note you enter in the Message Note box will be appended to the message when it is delivered.

2.6 Advanced Queries

CanIt-PRO supports more complex queries on the spam trap. To open the Advanced Query page, click on "Trap Contents" and then "Advanced Query". The Advanced Query page appears:

Figure 2.4: Advanced Trap Query

To perform an advanced query:

  • Set the Status field to one of "Any", "One-Shot", "Pending", "Spam", or "Non-Spam", depending on how you want to restrict the query.
     
  • Enter text in the Subject field to restrict the display to messages whose subjects contain that text. You can choose from contains , is or starts with to control how CanIt-PRO performs the search.
     
  • Enter text in the Sender field to restrict the display to messages whose senders contain that text. Once again, you can choose from contains , is or starts with.
     
  • Enter text in the Recipient field to restrict the display to messages whose recipients contain that text. You have the same three choices of match type as for Sender.
     
  • Enter text in the Report field to restrict the display to messages whose spam reports contain that text. For example, you could enter "Custom rule" to match only messages that triggered a custom rule.
     
  • Enter text in the Hold Reason field to match by hold reason. For example, you could enter "HoldMIME" to find messages that were held because of MIME-type matching rules.
     
  • Enter minimum and/or maximum scores or Bayes percentages in the appropriate field to limit the search to incidents within the specified bounds.
     
  • Select appropriate dates in the Not Before and Not After fields to restrict the search to a date range.
     
  • Press Submit Query to run the query.

If you do not wish to restrict a query by a particular field, merely leave the corresponding entry box blank. Note that sender and recipient queries use the SMTP envelope sender and recipients, not the contents of the From: or To: e-mail headers. Also, sender and recipient queries may be slower than subject queries.

2.8 WHOIS Queries

Clicking on the "W" or a host name in the Message Summary Display or Incident Details pages fires off a WHOIS query. These queries may help you discover who is responsible for spam relays, and may let you direct complaints appropriately.

Figure 2.5 illustrates a WHOIS query:

Figure 2.5: Whois Query

CanIt-PRO can handle WHOIS queries on domain names and IP addresses. In most cases, it can figure out the correct WHOIS server to use, and can handle referrals for the .com , .net and .org domains. However, you may have to help it out sometimes by supplying a WHOIS server name and clicking Do Whois Lookup.

CanIt-PRO performs simple-minded parsing of the WHOIS output:

  • Any string beginning with http:// is converted into a hyperlink.
     
  • Any string with an @ sign is converted to a mailto: hyperlink. You should be able to click on e-mail addresses to fire up your mail client.
     
  • Any string in parentheses is assumed to be a "NIC Handle". Click on it to perform a WHOIS search on the handle. In the example, we see that NETBLK-CAIS-CIDR7 and CAIS-NOCARIN are correctly identified as NIC handles. Unfortunately, the (703) area code is incorrectly identified; you'll have to use your judgment.

2.8.1 Sending Abuse Complaints

If you opened a WHOIS search based on the IP address of an SMTP relay, there may be a link at the bottom of the WHOIS page which reads "Send abuse complaint". This link is present only if:

  • You clicked on the IP address of an SMTP relay.
     
  • The IP address you clicked on is part of a CanIt-PRO incident.

If you click on the "Send Abuse Complaint" button, the Spam Complaint page appears:

Figure 2.6: Spam Complaint

CanIt-PRO harvests e-mail addresses from the WHOIS query and fills them in. It also composes an abuse complaint which includes all the information required to process the complaint, and includes the first 8kB of the spam message.

To send an abuse message follow these steps:

  1. Edit the To: fields appropriately. CanIt-PRO may harvest inappropriate e-mail addresses; please verify that they are the correct addresses for abuse complaints. You can add multiple addresses in a single To: field by separating them with commas.
     
  2. Enable the "Send" checkbox beside each To: address you want to complain to.
     
  3. Edit the complaint text, if you wish.
     
  4. Click "Send Complaint" to e-mail the spam complaint.

HOMEPAGE / CONNECTION SERVICES / WEBSITE SERVICES / MEMBERS AREA / TECH SUPPORT / CONTACT US
Copyright © 2008 Sierra Advantage Inc.