ColmanComm: Email Scanning FAQ

Site Menu About Us Products & Services Contact News

Frequently Asked Questions about the email scanning service:

Free trial

Don't just take our word for it – you can try the service for two months absolutely free. Just fill in your details at the bottom of the page and we will get the ball rolling.

How It Works

How does the system work?
By changing your DNS record (the Internet "Phone Book"), you tell everyone on the Internet to send email for your domain to our scanning servers first.

We scan the email, remove spam and viruses and send a clean feed to the email server that you specify when signing up.

How does the system detect spam?
The system uses a combination of different tools and techniques (open source and proprietary) to detect spam. The effectiveness of the system comes from using these different tests in layered approach. With a few exceptions, no single test gets an email tagged as spam – it needs to fail a combination of tests.

This combined approach makes it very difficult for spammers to work around the system, and also significantly reduces the risk of false positives.

How does the system detect viruses?
The system uses one quality open source anti-virus tool, and one quality proprietary anti-virus tool to detect viruses (as part of our defence in depth principle). In addition, certain file types, which generally have no place in email, are also prohibited by the system.

The file type blocking rules very occasionally cause some valid email to be returned to the sender. However, these rules provide vital coverage in that time period between a new virus being released, and virus scanners being able to detect it.

White list rules can be created to allow certain attachments from regular correspondents.

Reliability, Performance and Effectiveness

How Reliable is the Service?
Our email scanning servers are located in enterprise class data centres in Sydney (New South Wales, Australia) and Brisbane (Queensland, Australia). The facilities provide high quality, conditioned facilities (UPS, Generator, Air conditioning, etc) making the systems highly unlikely to fail from hardware fault or environmental factors.

We use one of the most reliable operating systems and mail transfer systems available. Our systems only ever reboot for scheduled maintenance, and then only if a kernel patch is required.

Finally we use a primary and secondary MX record for your domain. This means that in the highly unlikely event of one of our sites failing, messages from the Internet will simply switch to using the secondary site.

In this way we are able to meet our commitment to 99.9% uptime (in reality, our system has run at 100% uptime since 2004).

What happens if my mail server is down?
We just queue the email. The scanning servers will keep checking to see if your mail server is up, and when it comes up, will deliver the email queue.

Will it slow email down?
A little, but you will barely notice it. With a slight caveat for greylisting in general messages spend about 20 seconds being scanned. The transmission time for small messages is negligible. For very large messages it can add a few seconds to a minute. However, on balance you still probably get these emails faster, because your Internet link is not being choked by spam (as we throw it away before it gets to you).

How effective is at stopping spam?
If you currently have no anti-spam defences you can expect over a 99% reduction.

If you do have some anti-spam product or system you can probably still expect a reduction somewhere between 75% and 99%.

If you don't wish to use greylisting your performance wont be quite this good but we would still expect you to achieve over 96% if you have no product, and somewhere between 60-90% if you have a product already.

A typical case study was a client who, despite having desktop anti-spam product, received over 200 spam email message a day. After switching to our system this dropped to 4-5 spam messager per week.

Don't forget, you can trial our system for two months for free, so you can see first hand how effective it is.

Safety

Will the system throw away valid email?
The short answer is no. It will never "throw away" valid email.

The detection system is very accurate, but it is not perfect. This is how it deals with material that might be, but isn't definitely spam:

If it is early enough in the process (while it is still speaking to the senders email server) then it simply refuses to accept the email. This causes a Non Delivery Report (including the reasons the mail was rejected) to be sent to the original sender. Although the mail is not delivered, the sender also knows the email did not get through and so can use another mechanism to get their message through.
If it is too late in the process for the mail to be refused, then rather than deleting the message, it is tagged with {SPAM?} in the subject line and sent to the intended recipient allowing them to action it as they think necessary.

When the system is certain that mail is spam it silently deletes the message.

Privacy and Confidentiality

How is the customers' privacy protected?
As an Australian Company, Colman Communications Consulting is obliged to adhere to the Privacy Act that requires us to:

Tell you what information we collect about you, and what that information will be used for.
Advise you who, apart from us, may have access to that information.
Grant you access to any information we hold on you and give you the opportunity to correct any errors in the information.
Take reasonable steps to protect your information from disclosure to unauthorised persons.

Strictly speaking, these rules apply to individuals. However, as most email is a mixture of business and private communication it is simply easiest to apply these rules to all our customers' information.

Our staff are vetted before hiring, and are required to understand and accept our confidentially agreements when joining us.

What information does the system retain?
The system retains log information showing sender and recipient email addresses, IP addresses of mail servers and also reasons why email was rejected (in the cases where it is rejected). The Subject line of emails is not logged.

No permanent copies of customer emails are made under any circumstances.

Can email passing through your system be intercepted?
All email can be intercepted while it crosses the Internet although in reality, just like credit cards, the greatest danger is at the point the data comes to rest.

Using our system does not substantially increase or reduce the risk.

Compatibility, Service Requirements and Other Technical Information

Can we use the service?
You need to have your own domain, and your own email server, or be happy for us to act as your post office server (where you retrieve your emails from).

The service is compatible with MS Exchange, Postfix, Sendmail, Notes – anything that supports Simple Mail Transfer Protocol (SMTP).

Do we need a static IP address?
No. The service operates just fine provided it can find you. Many of our clients use dynamic DNS services such as dyndns.org and changeip.org without any problems.

What is involved in getting set up to use the service?
You need to do the following:

Fill in the sign up form – either for a trial or to sign up.
Adjust your DNS MX records with the information we send you. This is straight forward, and we can give you a hand if necessary.
Optionally (we recommend it though) you should also adjust your firewall so that only our scanning servers can deliver email to your email server from the Internet.

What are the addresses of the systems we need to permit to deliver email?
202.174.99.96/29 and 203.63.8.40/29

What languages does the system support?
Anti-virus will work for any language. The anti-spam system will work best for English language. While it will stop a considerable amount of spam in other languages we don't make any percentage representation. If English is not the language your organisation typically uses you are still, of course, welcome to try it for free for 2 months and guage for yourself how effective the system is.

How do you get support?
Please see our contact page. Submit a request to the helpdesk email address.

{SPAM?}, {FILENAME} and other warnings from our mail scanners

What does {SPAM?} in the subject line mean?
Detecting spam is an inexact science. When we think a message is spam, but aren't sure enough to throw it away, we instead put the {SPAM?} in front of it, and forward it to you.

Potential spam messages are also converted to plain text to further reduce the risk (as HTML can be used by the spammer to try and indicate whether the message has been successfully received).

What does {FILENAME?} in the subject line mean?
To provide protection against viruses that cannot yet be detected by virus scanners (for every new virus there is a period of time between the virus being released, and the anti-virus companies providing detection) our system also prohibits certain filenames.

This occasionally does cause some inconvenience as legitimate emails are sent with these extensions.

When this happens the system strips the prohibited attachments, and sends the message onto you with {FILENAME?} in the subject line. It also emails the sender to let them know that the attachment needed to be stripped.

The system is easily worked around – you can ask your correspondent to change the file attachment name to one that is acceptable (such as .doc), or you can put in a support request with us to have email from that correspondent whitelisted.

What does "Mailscanner detected phishing attack" mean?
Phishing is a term used to describe a type of attack where the criminal tries to trick a person into disclosing usernames and passwords for something like a paypal, bank or ecommerce account. The criminal then logs in to the real account and tries to steal whatever they can.

One technique "phishers" use is to send HTML email where they will put a link, which looks like a valid one (for example http://www.commbank.com.au/ebank), but actually links of to a website they created, which looks like the real one, and tries to trick the recipient into revealing their username and password by trying to log in.

Our system provides some basic protection against this kind of attack. However, unfortunately many legitimate companies do have a habit of sending links in email where the text looks like a link, and is different to the actual link underneath.

If you are trying to figure out whether a link is safe to follow, consider the following:

Were you expecting it? If you just booked an airline ticket you would probably expect an email from them. However, your bank will never send you email asking you to update your details through this link (neither will PayPal, ebay, etc).
If you look carefully at the words in the email, do they actually use correct English? Don't skim it – carefully read it. A misspelt word might not mean anything, but often phishers give away the fact that English is not their first language by not being able to properly construct sentences.
If you are in doubt you can always ring the organisation for assistance.

Other

What is direct injection spam and how is it stopped?
Direct injection spam is an attempt by spammers to bypass systems such as ours by trying to guess your email server.

For example, they might lookup the DNS MX (Mail Exchange) record for your domain:

example.com mail is handled by 10 ms1.colmancomm.com. example.com mail is handled by 20 ms2.colmancomm.com.

Rather than send to one of those servers, they might take a guess that your mail server will be called mail.example.com.

If this resolves they will try and send email directly to it, rather than the valid destination. If your mail server still accepts email from the Internet (rather than just our mail scanning servers) then the spammer will bypass the scanning and "directly inject" the spam.

In general direct injection spam is becoming less of an issue. However, to get the best value out of our service it is best if you close this small gap in the defences.

Direct injection spam is easily countered by either adding a firewall rule (so that only the email scanning servers can deliver email from the Internet to your email servers) or by having delivery done on a non-standard TCP port.

What is Greylisting?
Greylisting is a method of protecting you from spam and viruses that relies on systems correctly complying with the rules for sending email, and is very effective at preventing spam (particularly when used in combination with our other techniques). There are a couple of downsides however. Firstly, not all systems on the Internet correctly comply with the rules for sending email even when they have a legitimate need to send email. Secondly, greylisting can slightly slow down email, particularly the first time you receive email from a new correspondent. Typically the delay introduced is only 5 minutes or so, the first time you receive an email from a new contact, but it can be higher and depends on the system sending email to you, not our email scanning system.

Overall, we highly recommend greylisting for all customers. But be aware that, on the first email from a new contact, a delay will be introduced.

Do we still need anti-virus on our desktop computers?
Yes, absolutely. You should always run a desktop anti-virus product if you are using a Windows computer. Although email is still the most common way for viruses to spread, there are many ways a virus can get onto your computer that is not via email. Also, just like us, you should take a "defence in depth" approach to protecting your network against viruses.