Complete Web & IT Solutions | Managed Services for Business Infrastructure

CanIt SPAM Trap

The CanIt-PRO SPAM Trap is a quarantine area in which CanIt-PRO holds messages that it thinks might be SPAM. To view pending messages the SPAM trap, click on the "Trap Contents" link. The pending messages screen will appear.

• Message Summary Display
• Sort Order
• Message Body Display
• Summary of Links
• Message Disposition
• Quick SPAM Disposal
• Incident Details
• Viewing Other Messages
• Viewing Specific Instances
• Annotating Messages
• Advanced Queries
• Frozen Incidents
• WHOIS Queries
• Sending Abuse Complaints

Message Summary Display

The fields in the display have the following meanings:

• Date: Is the date and time the message was first received.
• Subject: Is the message subject.
• Sender: Is the sender as specified in the SMTP dialog. Be aware that SPAMmers can easily fake the sender address.
• Relay:is the SMTP relay Host which transmitted the message. This is somewhat harder to fake than the sender address. Note that sometimes a message can be sent from more than one SMTP relay Host. If that is the case, you need to look up the incident details (described later) to get a list of all the relay Hosts.
• Score: Is the SPAM score assigned by the SPAM-scanning rules. The higher the score, the more "SPAMlike" the message appears. Any message scoring 5 or higher is held in the pending trap. A message may be held even if it scores lower than 5. If this is the case, a "Hold Reason" will appear below the score.
  Possible hold reasons are:
  • HoldRelay: You have asked CanIt-PRO to always hold messages from the sending relay.
  • HoldSender: You have asked CanIt-PRO to always hold messages from the sender.
  • HoldDomain: You have asked CanIt-PRO to always hold messages from the sender's Domain.
  • HoldRBL: The sending Host is in a real-time BlackList, and you have asked CanIt-PRO to hold mail from Hosts in the BlackList.
  • HoldVirus: A virus was detected in the message, and you have asked CanIt-PRO to hold messages containing viruses.
  • HoldEXE: Potentially executable content was detected in the message, and you have asked CanIt-PRO to hold such messages.
  • HoldMIME: The message was held because of a MIME type rule.
  • HoldEXT: The message was held because of a filename extension rule.
• Status and Action: Shows the current status of the message, and lets you determine the fate of pending messages. This will be described more fully below.

Sort Order

Normally, CanIt-PRO sorts messages in order of date received, with most recent messages first. You can click on the arrow near the "Score" column (for example) to sort by score. Click on the little up-arrow in a column to sort by that column in ascending order. Click on the down-arrow to sort in descending order. CanIt-PRO colors the little arrow corresponding to the current sort order red. You can change the default sort order on your preferences page, described in the Preferences Guide Page.

Message Body Display

To view the body of a particular message, click on the message subject. The first 8kb of the message body will be displayed.

Summary of Links

The Message Summary Display contains many hyperlinks. These links are as follows:

• Click on the Date to display incident details.
• Click on the Subject to display the first 8kb of the message body. Note that some SPAMmers try to hide messages by encoding them using Base64 encoding (a special encoding for transmitting binary data.) Click on "Base64-Decoded Message" at the top of the message display to decode the message. You can also click on "Strip HTML Tags" to more easily read the text of HTML messages.
• The Sender entry is split over two lines. Click on the first line (user@) to open the Sender Action page (WhiteLists, BlackLists, and Rules Guide). Click on the second line (Domain.com) to open the Domain Action page (WhiteLists, BlackLists, and Rules Guide). Finally, click on the "W" to perform a WHOIS query on the Domain (Explained more fully below).
• The Relay entry is split over two lines. Click on the first line (the relay's IP address) to open the Host Action page (WhiteLists, BlackLists, and Rules Guide). Click on the second line (the relay's Host name, if resolvable) to open a WHOIS query on the relay's IP address.

Message Disposition

In the message summary display, any one-shot or pending message has an entry box for controlling the disposition of the message. The possible values for the action are:

• Do Nothing - leave the status of the message as one-shot or pending for now.
• Accept Message - mark the message as not-SPAM so it will be accepted the next time it is received.
• Reject Message - mark the message as SPAM so it will be rejected.
• Blacklist Host - mark the message as SPAM and in addition, ban connections from the SMTP relay Host (or Hosts) which transmitted the message.
• Whitelist Host - mark the message as not-SPAM and in addition, do not hold any messages from the SMTP relay Host (or Hosts).
• Blacklist sender - mark the message as SPAM and automatically reject any future messages from the sender.
• Whitelist sender - mark the message as not-SPAM and automatically accept any future messages from the sender.
• Blacklist Domain - mark the message as SPAM and automatically reject any future messages from the Domain. (The Domain is everything after the @ in the sender's address.)
• Whitelist Domain - mark the message as not-SPAM and automatically accept any future messages from the Domain.
• Silently discard - silently discard the message. Neither the sender nor the recipient will receive notification that the message was lost. Do not use this option lightly; it is considered a serious breach of Internet etiquette to silently discard E-mail.
• Quarantine - silently discard the message, but quarantine it in the quarantine directory also. This could be useful if you need a copy of the message for forensic reasons. Reject and Quarantine - quarantine the message and return an SMTP failure code, forcing the message to be rejected. This could be useful if you need a copy of the message for forensic reasons, but still want the sender to receive a failure notification. To set message dispositions, set the action boxes appropriately and then click on Submit Changes. A summary of the actions will appear. Note that if you set the Method for choosing SPAM-trap actions preference to "Checkbox" (Preferences Guide), then instead of a drop-down list, you get a series of buttons. Checkbox Options:
  • Select the red "X" to reject a message.
  • Select the green check mark to accept a message.
  • Select the black question-mark to take no action.

Quick SPAM Disposal

If your browser is JavaScript-enabled, then a line of buttons appears after the word "All" near the top of the display. This lets you set all the action boxes on the page with one click:

• Select the question-mark to set all action boxes to Do Nothing.
• Select the red "X" to set all action boxes to Reject message.
• Select the green check mark to set all action boxes to Accept message.

Incident Details

To view the details about a pending-message incident, click on the date of the particular message. The incident page appears. The Incident page contains the following information:

• Incident ID: Is an integer assigned to each incident. This ID is sent in the SMTP failure messages so you can trace down a SPAM incident.
• Date: Is the date the message was first received.
• Subject: Is the message subject. Click on the subject to see the message body.
• Score: Is the SPAM-scanning score.
• Status and Action: Is the incident status. It is one of the following:
  • New incident; only one transmission so far.
  • This incident is still open.
  • Message was not SPAM.
  • Message was SPAM.
• Bayes Training: Tells you how the incident was trained in the Bayes database, and give you an option to change the training. Note that this line will not appear if the Bayes signature has expired from the database (CanIt-PRO retains Bayes training information for only a short time, typically three days.)
• Freeze Status: Tells you whether or not the incident is frozen. See below for more details.
• Resolution: Is the action that was taken to dispose of the incident. If the incident is still pending, you will have an opportunity to dispose of it here.
• Resolved By: Is the user who resolved the incident. The special system-user SPAM is used for unresolved incidents, expired one-shot messages and automatically-rejected messages.

The Host information table is a table with a row for each relay Host which attempted to deliver the message. The table contains the time the Host first attempted delivery, the envelope sender, the relay Host IP address and Host name, and the number of delivery attempts from that Host. Click on the relay IP to open the Host Action page for that relay, or on the relay name to perform a WHOIS query. The recipients table lists all of the recipients of the message. The history table is a log of actions taken for this incident. This logs when the incident was opened, and when it was closed (and who closed it.) Finally, the SPAM analysis report is a list of SPAM-scanning rules which triggered, along with the weight assigned to each rule.

Viewing Other Messages

In addition to pending messages, you can view other messages in the trap by following these links:

• One-Shot: Lets you see messages whose status is one-shot.
• Pending: Shows messages whose status is pending.
• SPAM: Shows messages whose status is SPAM. Non-SPAM shows messages whose status is not-SPAM.
• All: Shows all messages.

Viewing Specific Incidents

To view an incident given its incident ID, click on "Trap Contents" and then "Specific Incident". Type the incident ID and press Enter. You can view another incident by typing its ID in the box and pressing Enter.

Annotating Messages

In the Incident ID display, you can set the disposition of an incident. You can also enter a message note in the Message Note box. For example, if you are unsure if a message is SPAM and wish to have it delivered to the recipient, you can add a note asking the recipient to call you if the message was SPAM. The message note you enter in the Message Note box will be appended to the message when it is delivered.

Advanced Queries

CanIt-PRO supports more complex queries on the SPAM trap. To open the Advanced Query page, click on "Trap Contents" and then "Advanced Query". The Advanced Query page appears.To perform an advanced query:

• Set the Status field to one of "Any", "One-Shot", "Pending", "SPAM", or "Non-SPAM", depending on how you want to restrict the query.
• Enter text in the Subject field to restrict the display to messages whose subjects contain that text.
• Enter text in the Sender field to restrict the display to messages whose senders contain that text.
• Enter text in the Recipient field to restrict the display to messages whose recipients contain that text. Note that for Subject, Sender and Recipient, you can choose one of "is", "starts with" or "contains" to choose how CanIt-PRO interprets the search query.
• Enter text in the Report field to restrict the display to messages whose SPAM reports contain that text. For example, you could enter "Custom rule" to match only messages that triggered a custom rule.
• Enter text in the Hold Reason field to match by hold reason. For example, you could enter "HoldMIME" to find messages that were held because of MIME-type matching rules.
• Enter minimum and/or maximum scores or Bayes percentages in the appropriate field to limit the search to incidents within the specified bounds.
• Press Submit Query to run the query.

If you do not wish to restrict a query by a particular field, merely leave the corresponding entry box blank. Note that sender and recipient queries use the SMTP envelope sender and recipients, not the contents of the From: or To: E-mail headers. Also, sender and recipient queries may be slower than subject queries.

Frozen Incidents

When an incident is first created as a one-shot or pending incident, you can change the disposition of the incident. (For example, you can accept it, mark it as SPAM, WhiteList the sender, etc.) Some time after you dispose of an incident, it becomes frozen. A frozen incident is one whose disposition cannot be changed, because the message has already been handled by CanIt-PRO. The rules for freezing an incident are as follows:

• If the message was stored locally, then it is frozen as soon as you either accept or reject the message. No further changes are possible.
• If the message was kept on the sending relay using temporary-failure codes, then the incident is frozen on the first retransmission after you have marked the message for acceptance or rejection. Thus, there is a small (and unpredictable) window after you mark the message, but before it is retransmitted, during which you can change your mind.

Sometimes, it is desirable to "thaw" an incident. If you mistakenly rejected a message and would like the sender to re-send it, you must first mark the message as acceptable before asking the sender to re-send it. Otherwise, if it comes in again, CanIt PROT will automatically reject it (because it has been marked as SPAM.)

To thaw an incident, open the incident page and click on "Click to Thaw". This will un-freeze the incident and let you change its disposition. Note: Thawing an incident won't automatically cause the message to be delivered if it was originally rejected in error. You'll have to make arrangements with the sender to send another copy.

WHOIS Queries

Clicking on the "W" or a Host name in the Message Summary Display or Incident Details pages fires off a WHOIS query. These queries may help you discover who is responsible for SPAM relays, and may let you direct complaints appropriately.

CanIt-PRO can handle WHOIS queries on Domain names and IP addresses. In most cases, it can figure out the correct WHOIS server to use, and can handle referrals for the .com, .net and .org Domains. However, you may have to help it out sometimes by supplying a WHOIS server name and clicking Do WHOIS Lookup. CanIt-PRO performs simple-minded parsing of the WHOIS output:

• Any string beginning with http:// is converted into a hyperlink.
• Any string with an @ sign is converted to a mailto: hyperlink. You should be able to click on E-mail addresses to fire up your mail client.
• Any string in parentheses is assumed to be a "NIC Handle". Click on it to perform a WHOIS search on the handle.

Sending Abuse Complaints

If you opened a WHOIS search based on the IP address of an SMTP relay, there may be a link at the bottom of the WHOIS page which reads "Send abuse complaint". This link is present only if:

• You clicked on the IP address of an SMTP relay.
• The IP address you clicked on is part of a CanIt-PRO incident.

If you click on the "Send Abuse Complaint" button, the SPAM Complaint page appears.

CanIt-PRO harvests E-mail addresses from the WHOIS query and fills them in. It also composes an abuse complaint which includes all the information required to process the complaint, and includes the first 8kb of the SPAM message. To send an abuse message follow these steps:

• Edit the To: fields appropriately. CanIt-PRO may harvest inappropriate E-mail addresses; please verify that they are the correct addresses for abuse complaints. You can add multiple addresses in a single To: field by separating them with commas.
• Enable the "Send" checkbox beside each To: address you want to complain to.
• Edit the complaint text, if you wish.

Support

E-mail Log In SPAM Filter Website Analytics

• E-mail Support
  • Outlook Setup
  • Outlook Stationary Setup
  • Hosted Webmail Help
  • E-mail List Server
• SPAM Filter Guide
  • Simplified Interface
  • Expert Interface
  • CanIt SPAM Trap
  • Lists & Rules
  • Preferences
  • Reports
  • Streams
  • Bayesian Filtering
  • Locked Addresses
  • Spam Warning
  • Helpful Tips
  • Helpful Definitions
• FTP Support
  • Web Browser FTP Guide
  • FileZilla FTP Setup
• Website Hosting Support
  • Web MailForm to Email