CERN Accelerating science

Unsolicited Electronic Mail

  Judy Richards IT/DIS

Since November last year we have been actively trying to reduce the amount of unsolicited electronic mail, commonly known as SPAM mail, that arrives in CERN mailboxes. Unfortunately this is not an easy job since the spammers are constantly finding new ways of breaking our defences! Gone are the days when you could block spam mail with a simple filter on the `From:' address of a sender. Today spammers are "forging" addresses in the headers and envelopes of mail in such a way that it is difficult to distinguish between legitimate mail and spams.

An additional problem, that does not directly affect most CERN users but does use CERN resources and affects the reputation of CERN, is caused by the spammers who try to make mail look as if it comes from a CERN machine. They either try to route the mail via a CERN machine or simply forge the mail headers to a CERN address so it will have less chance of being blocked by the recipient's anti-spam defences.

Although some anti-spam measures can be automated, for most someone has to look at the system logs and spam reports from users and make a human judgement as to what should be blocked. This of course takes time and so there is a limit as to what we can do. In addition it is difficult to measure how effective our anti-spam measures are. Although we know how much mail we are rejecting at the CERN gateways, each of these could be "fanned out" to multiple recipients at CERN, but it is prohibitively resource consuming to find out how many. And of course we have no way to measure how much gets through the filters into your personal mail boxes.

Since it is difficult to distinguish between spam mail and genuine mail, "innocent" people may occasionally be affected by our anti-spam measures. These are summarized below so that you are aware of what we are doing.

Banned domains

Mail from all userids in these domains are banned. A domain is added to this list when we have seen spams from multiple users of this domain. This ban of course also affects "innocent" users of the domain.

Banned IP addresses

Filtering is done on the physical IP address. This catches spammers who are forging or keep changing the name of their machine.

Banned senders

This list is useful only against the most amateur of spammers since most now use a different `From:' address for every spam.

A list of domains for which mail is accepted only if the sender and relay nodes are in the same domain

In this list we find some of the larger Internet providers whose addresses are often forged by spammers. This filter can however affect some "innocent" users. For example, if a user with the address `user1@aol.com' sends mail to `user2@in2p3.fr' and `user2' has an automatic forward to `user2@cern.ch', the mail will be rejected since the `From:' address is `aol.com', but the relay address is `in2p3.fr'. Automatic forwarding from within CERN is not affected.

Attempts to use CERN as a relay are rejected

Any mail for which neither the sender address nor the recipient address is registered in the CERN name servers is rejected. This can affect two groups of CERN users:

1. If you are at home or travelling you will not be able to send mail to someone outside CERN using a CERN machine as your SMTP server. The standard CERN configurations for mail clients set the SMTP server to `smtp.cern.ch'. If you are outside CERN you must change this to the SMTP server of your Internet provider or the lab where you are physically.
2. If you try to send mail from a machine that is not correctly registered in the CERN central name servers it will be rejected.

A list of the domains that are currently banned can be found at URL:

This list is updated once per day and today contains only the "banned domains". When the next version of the software is introduced it will also contain addresses falling into the other categories.