Inbound Spam Tagging

Although Msen has a strict policy against Msen customers sending unsolicited email (spam), not all other Internet Service Providers do. Msen attempts to filter and slow the amount of spam coming to our customers from outside machines. This is difficult as many of the offenders move accounts constantly, and make pre-emptive filtering difficult. As the Internet community gets more and more fed up with unsolicited email, more options are being produced to filter mail. Starting in August of 2000  Msen has added a header line to email when we suspect that a piece of email may be spam. In January 2002, we have expanded this processing. This is an automated system using two different styles:

Source internet address is a known spam source (aka open relay).
This detection is done by the internet addresses found in the headers or envelope of the email message and merely adds a new header line to me message. Examples of the line added are:

SpamCop is a database of IP addresses that have been reported by victims of spam. The time a listing is in the database depends on how many complaints have been made against that IP address.
The source IP address is listed in SpamCop:
X-Spam-Suspected-by-Msen-because-of-Envelope: 550.Mail.from.61.159.235.36.rejected.because.of.61.159.235.36;see.http://www.spamcop.net/bl.shtml?.61.159.235.36
The mail was relayed through an IP address listed in SpamCop:
X-Spam-Suspected-by-Msen-because-of-Header: Received_parse_received:550.Mail.from.200.75.48.36.rejected.because.of.66.142.181.158;see.http://www.spamcop.net/bl.shtml?.66.142.181.158

The Open Relay Database is a listing of known IP addresses that will forward mail from the spammer to the victim. These are usually misconfigured machines.
The source IP address is listed in Open Relay Database:
X-Spam-Suspected-by-Msen-because-of-Envelope: 550.Mail.from.200.75.48.36.rejected.because.of.200.75.48.36;see.http://www.ordb.org/lookup/?host=.200.75.48.36

The Spamhaus AntiSpam Database is a combined listing of known Spam kings and the addresses they control with a database of machines that have been compromised by viruses or are running proxy services that can be abused.
The source IP address is listed in Spamhaus AntiSpam Database:
X-Spam-Suspected-by-Msen-because-of-Envelope: Mail.from.24.173.216.42.rejected.because.of.24.173.216.42.in.sbl-xbl.spamhaus.org

These detection services do provide "false positives". Therefore, instead of throwing out the email, Msen has chosen to only tag the message, and leave it up to the user to throw out the email based on the recommendation. In the past, one known false positive was Amazon.com's purchase receipts. That example alone serves as case and point on why we do not automatically throw out suspected spam.

Filtering based upon general key words:
Through the use of scoring features, we have started tagging mail that contains known spam phrases. Examples are: "TIRED OF THE 40 X 40 X 40", "Pill to Increase Your", "Free Mortgage Rate Quote", and the famous "this is not a spam email". The more of these phrases that exist in the email, the higher the spam score is. If the score exceeds the given threshold, it is marked with the following:

X-Spam-Suspected-by-Msen-because-of-Procmail: Spam_score is <number>.

Filtering based upon sexual key words:
A simular filter is used to tag the sexual email that is so common. Example phrases from that filter are: "teen lolitas", "teen hardcore", "incest porn".

X-Spam-Suspected-by-Msen-because-of-Smut: Smut_score is <number>.

Policy: Msen does not read customer's email. These filters are automated scripts that do not make moral judgements about the content they process. The "catch phrases" that the filters are built upon are based on what spam the adminstrators have received on a reoccuring basis. Care has been taken in choices to minimize "false positives" that would tag or, if enabled, delete legitimate email. Since no automated system will perform with 100% accuracy for all people, use at your own risk.

Options to make use of these headers:

Using filters in email software. Now that Msen has tagged the email, filters in client software are able to search for the tag. The instructions for Netscape 4.7 are available. For Outlook Express, searching for the words "Spam_relay_address", "Spam_score", and "Smut_score" in the headers will allow filtering.

Unix shell users should use procmail.

Trigger files:
As part of the procmail rules, we have installed specific trigger files. If the file exists in your home directory, the email will be deleted instead of marked as spam. It will never arrive in your mailbox for an opportunity to download.
.msen_kill_spam will delete email that was tagged using the general procmail filter.
.msen_kill_smut will delete email that was tagged using the smut procmail filter.
.msen_kill_address will delete email that was tagged using the address databases.
.msen_kill_all will delete email that was tagged using any of the above methods.
Installing any of these files will delete email immediately. The email will never go to backup tape, and will not be recoverable. Use at your own risk.
The following form will allow Msen users to enable or disable the spam filtering process.