How Does CanIt Work?

From Roaring Penguin
Jump to: navigation, search
Main article: Quick Start Guide

CanIt has a complex set of rules and settings that allow for very fine-tuned control over the processing of mail. This sub-article discusses the main concepts in how this is done.

Please Note

The options within this guide may or not apply to you, depending on your version of CanIt and how it has been set up by the e-mail administrator. If you can't find something as described but think that you need it, consult your administrator; there may be a reason that you don't have it.

What is a Stream?

When mail arrives, CanIt will look up the address to determine if it exists, and if it does, it will try to determine who should be responsible for it. This process, called Streaming, will usually result in each email address having a unique stream name unless your administrator has it configured otherwise. This name is essentially your "Account" except that in certain circumstances you might have access to more than one stream. The stream associated with any given email address contains the most important set of rules and settings for all mail sent to that address and will house and mail that is trapped for that address.

Streams also allow for situations where addresses and inboxes do not have a one-to-one relationship.

One Address to Multiple Recipients

If mail comes in for a group address these will generally be given their own streams. As a result, all recipients within that group will be notified to any trapped messages for that stream. Administrators will often point mail for a group address to a specific user's stream so that they will be in charge of it's trapped mail, or they will make it only accessible to themselves.

Multiple Addresses to One Recipient

Instead of one stream going to many people, multiple addresses can also be set up to a use a single stream. This was just mentioned in the case of a group address going to an individual, as their stream then houses mail for both their personal mail as well as the group's. This also allows for a single set of rules and settings to process mail for multiple email addresses, as well as to maintain a single quarantine that hold mail for all of them. This can be helpful if you have multiple alias addresses, in that you will not have separate collections of rules and trapped mail. This can be done in two ways:

  • All mail can be delivered to the original recipient address (See Preferences->My Addresses in the WebUI) while sharing the same stream.
  • Mail for secondary addresses can be rewritten to the primary address and will be delivered there instead (See Preferences->Aliases in the WebUI).

An administrator can also set this up to function on a domain-wide level so that - for example - user1@example.com will also receive mail from user1@example.org in either of the methods above.

Who Makes the Rules?

Stream Rules

You will have a varying level of control over what types of rules you can create and modify depending on what your administrator decides to allow. Unless your administrator decides otherwise, your stream is the only place that you will have any control. This allows you to decide to make rules that will impact the flow of your own mail without impacting any of your co-workers. These are also the highest priority rules, so what you say will be honoured. This is also why your admin might limit what types you can use.

Higher Laws

CanIt will also look higher up for extra rules that do not conflict with your own. These can be rules that apply to all users in your organization, all users within the entire CanIt implementation or some subset in between. Regardless of the structure, the most specific rule that you inherit from directly will always be used.

See diagram: Rule Inheritance

Scanning

At this point CanIt will have very specific rules, unique to your needs, that will be use to determine what happens to your mail. There are a lot of things for it to check and some forms of scanning can be a lot of work for the servers running CanIt, so it tries to save itself as much trouble as possible by only scanning what it has to.

One way that obvious spam is weeded out is with greylisting. This is the process of temporarily sending a "busy" signal to senders the first time that they try to send a message to any given recipient. Spammers will rarely bother to try twice, so that mail will never be scanned, however properly configured machines will dutifully retry moments later.

If the sender is known to retry, there are still other exceptions that will cause mail to skip all other checks. The first is a virus scan which will automatically discard the message regardless of any other settings. Similarly, if there is a Block rule for the sender or domain, these will also be rejected without any other scanning being done. On the other hand, an Always-Allow rule tells it to let the message through without doing any other scanning. This happens after the virus scan, so viruses sent from Allowed senders will still be blocked. The Allow rules will also be ignored it the event of an SPF fail which indicates that the sender is spoofing a domain that it is not allowed to use. The Block/Allow rules work based on specificity, as described above, where the most specific rule always wins (ie. a Sender rule trumps a Domain rule, and a rule set in your stream trumps one that you have inherited).

Absolute Block and Always-Allow rules are powerful tools that often only your administrator will have access to. If your administrator does allow you to use these tools, be aware of the following:

  • Spammers rarely use the same address twice, so a Block rule is not generally very effective. These rules are mostly effective for blocking junk-mail such as e-retailer newsletters that always come from the same address, but which have a tedious unsubscribe process.
  • Spammers will occasionally spoof the address of trusted senders, or will propagate mail from an infected machine that may belong to a trusted sender which can lead to obvious spam making it through due to an Allow rule.

If none of the exception above apply, the message will be tested against all other rules in the system and will be given a score that indicates the confidence that that message is spam. Some of these tests include:

  • looking for suspicious information in the headers and metadata.
  • performing content analysis on the headers, body and attachments in the message.
  • searching reputation lists for known-bad senders, links and IP addresses.
  • filtering by attachment file types (including those in archives)
  • searching for auto-download functions which pull down malware after the attachments such as Microsoft Office and PDFs are opened.
  • authenticity checks (SPF, DKIM and DMARC), reverse DNS records, and other common legitimacy checks.

Where Does it All Go?

After all the scanning is done the mail will have done one of 3 things:

  • Failed an absolute rule and will have been rejected (or discarded)
  • Passed an absolute rule and will have skipped all other checks and been delivered.
  • It will have been given a score indicating how spammy CanIt thinks the message looks.

In the third case, CanIt then uses 3 thresholds to determine where the message should go based on that score.

Your Inbox

If it is lower than the quarantine threshold (S-300) it is passed on to your inbox. We recommend a spam threshold of 5 points and highly discourage anyone from adjusting this by more than about 0.2 points at a time. Even this much change higher will often result in a significant amount of spam getting through, since a lot of mail will only fail one test and several tests allot exactly 5 points.

Your Pending Messages

If it is higher than the quarantine threshold then it will be compared to the reject threshold (S-100). If it is lower than this threshold then it will be held in the pending quarantine. It is these messages that you will generally be concerned about as a CanIt end-user. You may receive regular reports alerting you to these trapped messages or may have access to them in the WebUI. It is also possible that you map never see these messages and that you administrator may monitor this list for you.

Automatic Rejection

If it is higher than the reject threshold it is then compared to the discard threshold (S-200). If it is lower than this threshold then it will be put into the Spam quarantine (Quarantine->Spam in the WebUI). You will generally not notice these messages unless you have access to the WebUI and you specifically go looking for them. They will not show up in notifications but are still recoverable if necessary.

Automatic Discard

If it is higher than the discard threshold it will be tossed out and there will not be recoverable. The only thing that remains of it is a log entry so that an administrator can find out what happened to it if necessary.

Continue to: CanIt User Essentials