Thursday, October 5, 2006

Did you receive a message with a [ JHSUSP - SPAM ] subject line tag?

Click Here to report a message tagged as suspect spam in error (false positive).

Click Here to report a message that was not identified as spam. 

Information from IT@Johns Hopkins on "image spam"

Spam embedded in image files, or simply "image spam", has become a big annoyance over the past summer and we have seen a tremendous increase in the number of image spam messages we receive in the messaging environment at Hopkins.  Image spam has become a popular vehicle for spammers because it can be made difficult to identify images as spam by changing certain characteristics of the image (ie. colors, borders, "spacers", etc).

At Hopkins, we have been using the Brightmail anti-spam product since June 2004 and results have been reasonable; especially with the low number of false positives.  However, Brightmail has not been as effective against image spam since the solution is signature based and works in a similar fashion as anti-virus software when new viruses are identified and signatures written for them.   Spam signature files are updated on our servers every 7 minutes.  But, until a specific piece of spam is identified, we can't catch it.

On October 5th, we will be evaluating another anti-spam product on the email gateways to try and deal with the problem with embedded spam in image files.  This product has the ability to assess an email on other characteristics such as the reputation of the sending IP address.  This makes the new product a little different than Brightmail.  The decision has been made to tag any messages detected as spam by the new anti-spam engine and deliver the messages to the recipient's inbox.  The tag will be [ JH-SUSP SPAM ].  The reason that the messages are being delivered and not quarantined is that it is a new product for Johns Hopkins and we do not want to impact legitimate email if it were to be incorrectly identified.  Once we determine that the new anti-spam product is alleviating the embedded spam problem and is correctly identifying messages as spam, we will start to quarantine these messages for those that are opted-in to the spam quarantine service. 
 
During this evaluation, please use the following email addresses for messages that were either not detected or incorrectly tagged.  The messages must be forwarded as an attachment.
 
* Report undetected spam to: spam at access.ironport.com
* Report false-positives to: ham at access.ironport.com
 
Please bear with us as we try to address the increase in spam that Johns Hopkins is experiencing.