Difference between revisions of "Common CanIt User Tasks"

From Roaring Penguin
Jump to: navigation, search
(General Rules)
(Stop Messages From Being Trapped/Let Through)
 
(16 intermediate revisions by 2 users not shown)
Line 8: Line 8:
 
=Manage Your Quarantine=
 
=Manage Your Quarantine=
  
Quarantined messages can be accepted, rejected or optionally marked as a phishing attempt. When you perform these actions, the message is trained into our Bayes Database for content analysis which makes the scanner better at identifying spam in the future. You will also generally be allowed to whitelist or blacklist the Sender, Domain, or Network. When a message is whitelisted, it is automatically accepted and when it is blacklisted it is automatically be rejected. This can be done in multiple locations.
+
Quarantined messages can be accepted or rejected. When you perform these actions, the message is trained into our Bayes Database for content analysis which makes the scanner better at identifying spam in the future. You may also be allowed to Block or Always-Allow the Sender or Domain so that mail from them in the future will either be rejected or accepted automatically when they are received.
  
 
==From the Inbox==
 
==From the Inbox==
  
If you are set up to receive notification emails it will contain voting links beside each entry. You may or may not have all of the above options available. By clicking the voting link for each item the changes should automatically be applied. This may require you to log in to the WebUI to register the vote.
+
If you are set up to receive notification emails it will contain voting links beside each entry. You may or may not have all of the above options available. By clicking the voting link for each item the changes should automatically be applied. This may require you to log in to the WebUI to register the vote, but if a window opens to acknowledge the vote without asking you to log in, you can simply ignore it.
 +
 
 +
You can click on the Subject of the message to be shown its contents in the WebUI if you are able to log in. See the next section for advanced tools.
  
 
==From the WebUI==
 
==From the WebUI==
  
The pending messages in your quarantine will be immediately visible from the Home page as well as being categorized and searchable in the Quarantine Category. The messages visible on the Home page are messages that were deemed to be suspicious, but not egregiously so and are pulled from the more detailed Quarantine->Pending. You can also select one of the other pages from the list in the Quarantine category to see messages that you have already dealt with.
+
The pending messages in your quarantine will be immediately visible from the Home page as well as being categorized and searchable from the Quarantine page. The messages visible on the Home page are messages that were deemed to be suspicious, but not egregiously so, and are pulled from the more detailed Quarantine->Pending. You can also select the Spam, Non-Spam or All pages from the Quarantine menu to see messages that you have already been (manually or automatically) rejected or (only manually) accepted. Mail that initially scored below the quarantine threshold is not stored in the WebUI except if you have the Archive available.
  
From either of these pages you can quickly accept or reject any of the trapped messages with the drop-down list for each item. You will need to click Submit Changes, when you have specified all of your desired actions. You may additionally have the ability to Always Accept, or Always Reject from the sender, however, this should be used sparingly.
+
From Home, Quarantine, or the individual incident pages there will be a drop-down menu or series of radio buttons that will let you accept or reject any of the trapped messages (except those that have already been resolved; only admins can re-open incidents by default). From Home or Quarantine you will need to click Submit Changes before these will take effect. With drop-down menus you may additionally have the ability to Always-Accept, or Block options for the sender and/or domain.
  
 
=See Why a Message Was Trapped=
 
=See Why a Message Was Trapped=
  
From your quarantine you can click on the time that the message arrived to view the incident details. This is also accessible while viewing the message via the subject link by pressing "See Incident Details" at the top of the page.
+
From either the Home or Quarantine section you will be able to click on the subject of messages to see the body contents. You can then click on See Incident Details at the top of the page (or the Date column from the list view) to get detailed information on how the message scored. It is helpful to note the Incident ID if you are going to see help from an admin (IDs are case-sensitive).
 +
 
 +
At the bottom of the incident page is a list of all of the rules that were triggered by the message. The most common reason a message is blocked will be if it triggered the Bayes statistical analysis. This is the probability that it is spam based on content analysis and is represented by the list of coloured words at the very bottom. The overall likelihood is listed next to the spam score as a percentage.  
  
At the bottom of the incident page is a list of all of the rules that were triggered by the message. The most common reason a message is blocked will be if it triggered the Bayes statistical analysis check as shown at the very bottom of this section after a list of suspicious words and phrases that it found. The other scores are shown as:
+
Many other test may be listed above this in a form like:
  
 
  # RULE_NAME      Human-readable description of rule
 
  # RULE_NAME      Human-readable description of rule
  
Any of the scores that are assigned for specific rules are configurable by your administrator if you think one is consistently causing trouble, however they are set up by default to work optimally for 99% of users.
+
The value assigned by each rule can be overridden if you have access to Rules->Score Overrides, or by addressing the rule's specific page.
 +
 
 +
=Stop Messages From Being Trapped/Let Through=
  
=Stop Good Messages From Being Trapped/Let Through=
+
We have another article discussing diagnostics for [[When Spam Gets Through]]. This covers the basics of how to find out why something that you think is spam might not have been caught and what can be done to prevent it.
  
We at Roaring Penguin run what we call the Roaring Penguin Training Network (RPTN). This is a massive database consisting of all of combined judgement of all of our participating members. By participating your CanIt system will benefits from the judgement of millions of votes, creating a very accurate set of general rules on what the content of spam emails look like. That being said, your organization receives a unique sub-set of all of the mail on the internet and so rules that fit the rest of the world may not fit you exactly. This is why it is important that you still train your own system, even though it has so much inherited knowledge. Your votes will override the RPTN votes if they differ allowing you to have a filter that is customized to your needs.
+
What causes a message to get caught can be more complicated because CanIt has such a wide variety of rules and settings that can result in a message being trapped. As mentioned, the most common reason for a message to be trapped is because of content analysis using Bayesian Analysis. We at Roaring Penguin run what we call the Roaring Penguin Training Network (RPTN) - a massive database consisting of all of combined judgement of all of our participating members. By participating, your CanIt system benefits from millions of votes, creating a very accurate set of general rules on what the content of spam emails look like. That being said, your organization receives a unique sub-set of all of the mail on the internet and so rules that fit the rest of the world may not fit you exactly. This is why it is important that you still train your own system, even though it has so much inherited knowledge. Your votes will allow us to acknowledge when content that looks spammy to you, but not to others (or vice versa).
  
Any time that you release a message from your quarantine, this is done automatically; teaching the system that messages which resemble the one you released are good. Likewise, if you reject a pending message it will reinforce the assumptions that the scanner made about its content and will make similar messages score even higher in the future.  
+
Any time that you accept a message from your quarantine, this is done automatically; teaching the system that messages which resemble the one you released are good. Likewise, if you reject a pending message it will reinforce the assumptions that the scanner made about its content and will make similar messages even more likely to be caught in the future.  
  
 
If a spam has already made it to your inbox without being trapped, you will likely have the ability to vote it as spam from the CanIt footer that is generally added to the content of the email itself.
 
If a spam has already made it to your inbox without being trapped, you will likely have the ability to vote it as spam from the CanIt footer that is generally added to the content of the email itself.
Line 40: Line 46:
 
If you find that you consistently have the same types of good messages trapped or bad messages let through over an extended period, a special rule may be in order.
 
If you find that you consistently have the same types of good messages trapped or bad messages let through over an extended period, a special rule may be in order.
  
Rules can be created under the Rules category which may or may not be available to you as a user. For more on this, see Blacklisting and Whitlisting, as well as Create a Custom Rule below.
+
Rules can be created under the Rules menu in the WebUI which may or may not be available to you as a user. For more on this, see Block and Always-Allow Rules, as well as Create a Additional Rules below.
  
=Blacklisting and Whitelisting=
+
=Block and Always-Allow Rules=
  
Blacklist and whitelist entries can be requested from the either your inbox or the WebUI in the same manner that you accept or reject mail. Please note that depending on the configuration of your system and its current load, these rules will take some time to be applied. If they don't seem to be working, wait a few hours before contacting your administrator.
+
Block and Always-Allow rules are absolute. Messages that trigger either of these will not go through any scanning. They will either be automatically discarded in the former case or automatically accepted in the latter. As such, you need to be careful with them. The exception to this is that Always-Allowed items will still be discarded if they contain viruses or will still be filtered normally if they return an [[SPF fail]].
  
Blacklists and whitelists are absolute rules. Messages that trigger either of these will not go through any scanning. They will either be automatically discarded in the prior case or automatically accepteded in the latter. As such you need to be careful with them.
+
Blocking senders or domains is often not as useful as you might initially think. Spammers tend to generate new sender addresses for every message they send, and so you will rarely receive two spams from the same sender. Blacklists are most appropriate for things like recurring newsletters and ads from e-retailers or other similar senders whose unsubscribe process is too tedious. This is discussed further our statement on why we do not allow [[Bulk Blocking]].
  
Blacklisting is often not as useful as you might initially think. Spammers tend to generate new sender addresses for every message they send, and so you will rarely receive two spams from the same sender. Blacklists are most appropriate for things like recurring newsletters and ads from e-retailers or other similar senders whose unsubscribe process is too tedious.
+
You should also use some caution when creating Always-Allow rules as well. Allowing an entire domain is rarely advisable, especially for common domains like gmail.com or hotmail.com. Even for senders, however, there is a level of danger because spammers are capable of spoofing the address of one of your common contacts, or can infect one of their machines. If either of these is the case for a contact that you have allowed the spam will make it through unchecked. We have another article discussing messages sent from [[Spoofed Addresses]] and the actions you can take to prevent that. More specifically, we also refuse to enforce Allow rules for your own domain and have [[Phishing_From_Own_Domain|a second article]] addressing that case.
  
You should also use some caution when creating whitelists as well. Domain whitelisting is rarely advisable, especially for common domains like gmail.com or hotmail.com. Even for senders, however, there is a level of danger to whitelists because spammers are capable of spoofing their address as one of your common contacts, or causing one of these contacts to perpetuate their spam attack. If either of these is the case for a contact that you have whitelisted the spam will make it through unchecked. You are also not able to whitelist your own domain
+
If you are worried about adding absolute rules like these, see Creating Additional Rules below.
 
 
If you are worried about adding absolute rules like these, see Creating a Custom Rule below.
 
  
 
==From the Inbox==
 
==From the Inbox==
  
If you receive a spam in your inbox you can select one of the blacklist voting links in the footer. These voting links will also be available in your quarantine notifications if you are set up to receive them.
+
Block and Always-Allow rules can be created from the your inbox using the voting links in the footers added to regular mail or from the action list in the notifications if the admin has made these available to you.
  
Because blacklisting is often useless, as described above, a blacklist entry generated in this manor is automatically given a 30 day expiry. If you would like to make a permanent blacklist you can do so in the WebUI or request one from your administrator.
+
Because blocking is often useless, as described above, a blacklist entry generated in this manor is automatically given a 30 day expiry. If you would like to make a permanent Block rule you can do so in the WebUI or request one from your administrator.
  
 
==From the WebUI==
 
==From the WebUI==
  
These can be made in a very similar manor to the inbox by selecting Always Accept or Always Reject from the Home page or Quarantine->Pending. Blacklists created in this manor are also temporary when created in this way.
+
By default you can create these rules proactively from the Home page of the WebUI using the Accept and Reject List box (this is available by default for all users with web access, but can be disabled as well). The links beneath this box allow you to manage and delete existing rules of each type.
  
Manual blacklisting and whitelisting rules can be created under Rules->Sender, Rules->Domains, and Rules->Networks for the relevant level of scope. You create a rule by entering the address into the text field at the top and clicking Add Rule. Once it is in the list you can specify what to do for that address, when the rule should expire, if ever, and a brief description of why you created the rule. If there are existing rules that you would like to change, that can also be done here. Rules with generated from the inbox or quarantine will have a comment with the IncidentID automatically added to the comments. Once all of the changes are made to your liking, make sure that you click the Submit Changes button at the bottom.
+
You can also create these rules in response to specific incidents if you are using the pulldown lists for action selection (as opposed to radio button) and if you administrator allows these as an option.
  
=Create Custom Rules=
+
The rules can also be created under Rules->Sender, Rules->Domains, and Rules->Networks (not available to users by default) for the relevant scope. You create a rule by entering the target into the text field at the top and clicking Add Rule. It will then ask you to specify what to do for that address/domain/IP, when the rule should expire (optional), and a brief description of why you created the rule (optional).
  
This is something that you may want to - or need to - request from your administrator. Custom rules are able to be specified in Rules->Custom Rules or Rules->Compound Rules. Compound Rules are a more complex version of custom rules that allow for the use of logic operators such as AND and OR. This allows you to make rules only apply when multiple fields are matched. If you don't know how logic operator work, ask your administrator for help.
+
These pages, which is also where the links under the Accept and Reject List box point, will allow you to view and modify existing rules. Those that where generated from the inbox or quarantine will have a comment with the Incident ID that the rule was created for automatically added. Once all of the changes are made to your liking, make sure that you click the Submit Changes button at the bottom.
  
==General Rules==
+
=Create Additional Rules=
  
A custom rule is quite simple and can be made to look at a variety of fields such as the sender address, sender domain, subject, or otherwise to varying levels of specificity. You can then select a value to apply to any message that matches this definition. By selecting a positive value, messages that trip the rule will have their score increased by that amount. It is generally advisable that you don't set a broad rule to apply as much as your S-300 value (Preferences->Quarantine Settings->Filter Settings->S-300). This makes it so that a message must still score on at least one other rule before it is quarantined, minimizing the incidence of false-positives. Similarly, applying a negative value will lower the total spam score, making matching messages less likely to get trapped. Again, you don't want to apply too large of a negative score for a broad rule otherwise you risk having spam get through because it tripped the rule. For very specific rules that apply to messages you never want to see, or always want to see, you can go much higher or create a backlist/whitelist as explained above. See Where Does it All Go? above to help you find the right value for your desired result.
+
This is something that you may want to - or need to - request from your administrator. A limited number of rule options will be available to regular Users under the Rules category.
  
 
==Country Rules==
 
==Country Rules==
Line 80: Line 84:
 
==Attachment Extensions==
 
==Attachment Extensions==
  
Rules->MIME Types allows you to create rules for the files that are included as attachments based on their extensions. CanIt will detect not only the immediate file extensions, but also those within certain archives such as .zip. Virus transmission is extremely common with many Microsoft file formats such as .exe, .msi, and .bat. These are all blocked by default and while it is highly advisable that you don't change this, you can apply a rule to allow or at least hold them if you need to. It is much more advisable that you use a file sharing service such as Dropbox and run thorough scans of the files if you need to send or receive them. If you try to send many file extensions to major services like Gmail, they will be rejected on the receiving end anyways.
+
Rules->MIME Types allows you to create rules for types such as "application/html".  
  
Additionally, other formats such as Microsoft Office documents are common carriers of viruses. These are not generally enforced by default, but if your company doesn't deal with these files very often, they may be for you. You can add your own by entering the extension without the dot in the text field at the top, clicking Add Rule, then applying an action for whitelisted sender and a general action for all other sender. Be sure to Submit Changes when you are done. As a final note, you can append > to the file extension to have the rule only take effect if it is contained within an archive.
+
Rules->Filename Extensions can be used to manage attachments based on their extensions. CanIt will detect not only the immediate file extensions, but also those within archives. Virus transmission is extremely common with many Microsoft file formats such as .exe, .msi, and .bat, so these are blocked by default as well as the rest of [[Blocked_File_Extensions_-_Hosted|these extensions]]. You could override these with your own rules for the same extensions, but that is not advisable.
 +
 
 +
You can add your own by entering the extension without the dot in the text field at the top, clicking Add Rule, then applying an action for whitelisted sender and a general action for all other sender. Be sure to Submit Changes when you are done. If you preface the file extension with > CanIt will look for that extension only if it is contained within an archive (.zip, .rar, .tgz, etc.).
 +
 
 +
Other formats such as Microsoft Office documents and PDFs are common carriers of viruses, or more often contain code that downloads the virus from elsewhere when the attachment is opened. CanIt does have facilities in place to scan for viruses built into these as well as to scan for known-bad links in these. However, if you do not anticipate needing these files via email, you may want to consider blocking them. If you do need Office files, but don't want Office files that contain either auto-running Macro functions or any Macros at all, you can see a special set of rules for these in Rules->Plugins.
 +
 
 +
Many viruses will be included in encrypted attachments, specifically .zip and Office files, providing the password in the body of the email. Given that they are encrypted, CanIt has no way to parse the contents, so instead we allow for a special set of Filename Extension rules with a suffix of .encrypted. For example, an entry for zip.encrypted would apply to encrypted zip archives, but not unencrypted ones.
 +
 
 +
==Custom Rules==
 +
 
 +
The most flexible and powerful rules in CanIt are Custom Rules. These let you identify a wide variety of aspects of a message including the Header content, Body content and a wide variety of other fields. You can create arbitrary rules for words, phrases and even pattern matching with regular expressions (note the Regular Expression Tester at the top of the page) and add or subtract your desired number of points if they are triggered. The main page has a box to quickly create single clause rules, but the Add an Advanced Rule link or selecting the ID of an existing rule will allow for more fields to be searched and the use of logic operators such as AND and OR to match multiple criteria.
 +
 
 +
These rules allow you to do simple tasks, like blocking all messages that contain a certain words are in the body, as well as more complex rules like adding additional score if multiple low scoring tests are hit, or [https://www.roaringpenguin.com/wiki/index.php/Spoofed_Addresses taking anti-spoofing measures].
 +
 
 +
These rules will also accept a negative score to allow you to trim a number of points off of a message if it matches good criteria. This allows you to effectively Allow a specific sender by removing 5 or so points, while still catching anything from their address that is egregiously spammy. It also allows you to allow messages that frequently score high because of poor standards compliance or other predictable behaviour, for example: many scan/fax-to-email features for network-enabled printers will get blocked because they are poorly crafted, so trimming off score based on the IP address, subject, attachment type, etc. can help those through.
 +
 
 +
Some of these rules can be tricky to manage and you should not hesitate to consult an administrator before trying to make rules of your own.
  
 
:''Continue to: [[Common CanIt User Problems]]''
 
:''Continue to: [[Common CanIt User Problems]]''
 +
 +
<div style="float:right; clear:both; margin-right:0.5em">[[Support Wiki | [Home]]]</div>
 +
[[category:All]][[category:Quick Start Guide]]

Latest revision as of 11:18, 27 October 2017

Main article: Quick Start Guide

The following are suggestions on how to perform frequent tasks applicable to a CanIt end-user.

Please Note

The options within this guide may or not apply to you, depending on your version of CanIt and how it has been set up by the e-mail administrator. If you can't find something as described but think that you need it, consult your administrator; there may be a reason that you don't have it

Manage Your Quarantine

Quarantined messages can be accepted or rejected. When you perform these actions, the message is trained into our Bayes Database for content analysis which makes the scanner better at identifying spam in the future. You may also be allowed to Block or Always-Allow the Sender or Domain so that mail from them in the future will either be rejected or accepted automatically when they are received.

From the Inbox

If you are set up to receive notification emails it will contain voting links beside each entry. You may or may not have all of the above options available. By clicking the voting link for each item the changes should automatically be applied. This may require you to log in to the WebUI to register the vote, but if a window opens to acknowledge the vote without asking you to log in, you can simply ignore it.

You can click on the Subject of the message to be shown its contents in the WebUI if you are able to log in. See the next section for advanced tools.

From the WebUI

The pending messages in your quarantine will be immediately visible from the Home page as well as being categorized and searchable from the Quarantine page. The messages visible on the Home page are messages that were deemed to be suspicious, but not egregiously so, and are pulled from the more detailed Quarantine->Pending. You can also select the Spam, Non-Spam or All pages from the Quarantine menu to see messages that you have already been (manually or automatically) rejected or (only manually) accepted. Mail that initially scored below the quarantine threshold is not stored in the WebUI except if you have the Archive available.

From Home, Quarantine, or the individual incident pages there will be a drop-down menu or series of radio buttons that will let you accept or reject any of the trapped messages (except those that have already been resolved; only admins can re-open incidents by default). From Home or Quarantine you will need to click Submit Changes before these will take effect. With drop-down menus you may additionally have the ability to Always-Accept, or Block options for the sender and/or domain.

See Why a Message Was Trapped

From either the Home or Quarantine section you will be able to click on the subject of messages to see the body contents. You can then click on See Incident Details at the top of the page (or the Date column from the list view) to get detailed information on how the message scored. It is helpful to note the Incident ID if you are going to see help from an admin (IDs are case-sensitive).

At the bottom of the incident page is a list of all of the rules that were triggered by the message. The most common reason a message is blocked will be if it triggered the Bayes statistical analysis. This is the probability that it is spam based on content analysis and is represented by the list of coloured words at the very bottom. The overall likelihood is listed next to the spam score as a percentage.

Many other test may be listed above this in a form like:

# RULE_NAME      Human-readable description of rule

The value assigned by each rule can be overridden if you have access to Rules->Score Overrides, or by addressing the rule's specific page.

Stop Messages From Being Trapped/Let Through

We have another article discussing diagnostics for When Spam Gets Through. This covers the basics of how to find out why something that you think is spam might not have been caught and what can be done to prevent it.

What causes a message to get caught can be more complicated because CanIt has such a wide variety of rules and settings that can result in a message being trapped. As mentioned, the most common reason for a message to be trapped is because of content analysis using Bayesian Analysis. We at Roaring Penguin run what we call the Roaring Penguin Training Network (RPTN) - a massive database consisting of all of combined judgement of all of our participating members. By participating, your CanIt system benefits from millions of votes, creating a very accurate set of general rules on what the content of spam emails look like. That being said, your organization receives a unique sub-set of all of the mail on the internet and so rules that fit the rest of the world may not fit you exactly. This is why it is important that you still train your own system, even though it has so much inherited knowledge. Your votes will allow us to acknowledge when content that looks spammy to you, but not to others (or vice versa).

Any time that you accept a message from your quarantine, this is done automatically; teaching the system that messages which resemble the one you released are good. Likewise, if you reject a pending message it will reinforce the assumptions that the scanner made about its content and will make similar messages even more likely to be caught in the future.

If a spam has already made it to your inbox without being trapped, you will likely have the ability to vote it as spam from the CanIt footer that is generally added to the content of the email itself.

If you find that you consistently have the same types of good messages trapped or bad messages let through over an extended period, a special rule may be in order.

Rules can be created under the Rules menu in the WebUI which may or may not be available to you as a user. For more on this, see Block and Always-Allow Rules, as well as Create a Additional Rules below.

Block and Always-Allow Rules

Block and Always-Allow rules are absolute. Messages that trigger either of these will not go through any scanning. They will either be automatically discarded in the former case or automatically accepted in the latter. As such, you need to be careful with them. The exception to this is that Always-Allowed items will still be discarded if they contain viruses or will still be filtered normally if they return an SPF fail.

Blocking senders or domains is often not as useful as you might initially think. Spammers tend to generate new sender addresses for every message they send, and so you will rarely receive two spams from the same sender. Blacklists are most appropriate for things like recurring newsletters and ads from e-retailers or other similar senders whose unsubscribe process is too tedious. This is discussed further our statement on why we do not allow Bulk Blocking.

You should also use some caution when creating Always-Allow rules as well. Allowing an entire domain is rarely advisable, especially for common domains like gmail.com or hotmail.com. Even for senders, however, there is a level of danger because spammers are capable of spoofing the address of one of your common contacts, or can infect one of their machines. If either of these is the case for a contact that you have allowed the spam will make it through unchecked. We have another article discussing messages sent from Spoofed Addresses and the actions you can take to prevent that. More specifically, we also refuse to enforce Allow rules for your own domain and have a second article addressing that case.

If you are worried about adding absolute rules like these, see Creating Additional Rules below.

From the Inbox

Block and Always-Allow rules can be created from the your inbox using the voting links in the footers added to regular mail or from the action list in the notifications if the admin has made these available to you.

Because blocking is often useless, as described above, a blacklist entry generated in this manor is automatically given a 30 day expiry. If you would like to make a permanent Block rule you can do so in the WebUI or request one from your administrator.

From the WebUI

By default you can create these rules proactively from the Home page of the WebUI using the Accept and Reject List box (this is available by default for all users with web access, but can be disabled as well). The links beneath this box allow you to manage and delete existing rules of each type.

You can also create these rules in response to specific incidents if you are using the pulldown lists for action selection (as opposed to radio button) and if you administrator allows these as an option.

The rules can also be created under Rules->Sender, Rules->Domains, and Rules->Networks (not available to users by default) for the relevant scope. You create a rule by entering the target into the text field at the top and clicking Add Rule. It will then ask you to specify what to do for that address/domain/IP, when the rule should expire (optional), and a brief description of why you created the rule (optional).

These pages, which is also where the links under the Accept and Reject List box point, will allow you to view and modify existing rules. Those that where generated from the inbox or quarantine will have a comment with the Incident ID that the rule was created for automatically added. Once all of the changes are made to your liking, make sure that you click the Submit Changes button at the bottom.

Create Additional Rules

This is something that you may want to - or need to - request from your administrator. A limited number of rule options will be available to regular Users under the Rules category.

Country Rules

Country rules can be set in Rules->Countries and they allow you to apply scores in the same way as custom rules specifically to messages originating from a country. It is important to note that these decisions are made based on server locations, not top-level-domains. Mail is often relayed through countries other than those that they originate from and so your points may end up being applied or missed where you might not expect.

Attachment Extensions

Rules->MIME Types allows you to create rules for types such as "application/html".

Rules->Filename Extensions can be used to manage attachments based on their extensions. CanIt will detect not only the immediate file extensions, but also those within archives. Virus transmission is extremely common with many Microsoft file formats such as .exe, .msi, and .bat, so these are blocked by default as well as the rest of these extensions. You could override these with your own rules for the same extensions, but that is not advisable.

You can add your own by entering the extension without the dot in the text field at the top, clicking Add Rule, then applying an action for whitelisted sender and a general action for all other sender. Be sure to Submit Changes when you are done. If you preface the file extension with > CanIt will look for that extension only if it is contained within an archive (.zip, .rar, .tgz, etc.).

Other formats such as Microsoft Office documents and PDFs are common carriers of viruses, or more often contain code that downloads the virus from elsewhere when the attachment is opened. CanIt does have facilities in place to scan for viruses built into these as well as to scan for known-bad links in these. However, if you do not anticipate needing these files via email, you may want to consider blocking them. If you do need Office files, but don't want Office files that contain either auto-running Macro functions or any Macros at all, you can see a special set of rules for these in Rules->Plugins.

Many viruses will be included in encrypted attachments, specifically .zip and Office files, providing the password in the body of the email. Given that they are encrypted, CanIt has no way to parse the contents, so instead we allow for a special set of Filename Extension rules with a suffix of .encrypted. For example, an entry for zip.encrypted would apply to encrypted zip archives, but not unencrypted ones.

Custom Rules

The most flexible and powerful rules in CanIt are Custom Rules. These let you identify a wide variety of aspects of a message including the Header content, Body content and a wide variety of other fields. You can create arbitrary rules for words, phrases and even pattern matching with regular expressions (note the Regular Expression Tester at the top of the page) and add or subtract your desired number of points if they are triggered. The main page has a box to quickly create single clause rules, but the Add an Advanced Rule link or selecting the ID of an existing rule will allow for more fields to be searched and the use of logic operators such as AND and OR to match multiple criteria.

These rules allow you to do simple tasks, like blocking all messages that contain a certain words are in the body, as well as more complex rules like adding additional score if multiple low scoring tests are hit, or taking anti-spoofing measures.

These rules will also accept a negative score to allow you to trim a number of points off of a message if it matches good criteria. This allows you to effectively Allow a specific sender by removing 5 or so points, while still catching anything from their address that is egregiously spammy. It also allows you to allow messages that frequently score high because of poor standards compliance or other predictable behaviour, for example: many scan/fax-to-email features for network-enabled printers will get blocked because they are poorly crafted, so trimming off score based on the IP address, subject, attachment type, etc. can help those through.

Some of these rules can be tricky to manage and you should not hesitate to consult an administrator before trying to make rules of your own.

Continue to: Common CanIt User Problems