How Does CanIt Work?

From Roaring Penguin
Revision as of 14:06, 22 July 2015 by JohnMertz (talk | contribs) (Quick Start Guide for CanIt End-Users: How Does CanIT Work?)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Main article: Quick Start Guide

CanIt has a complex set of rules and permissions that allow for very fine-tuned control over the processing of mail. This sub-article discusses the main concepts in how this is done.

Please Note

The options within this guide may or not apply to you, depending on your version of CanIt and how it has been set up by the e-mail administrator. If you can't find something as described but think that you need it, consult your administrator; there may be a reason that you don't have it.


When mail arrives, CanIt will look up the address and find a set of rules. The most important set of rules are derived from the "stream" that has been assigned to that address. The stream also tells the system who should receive mail for that address. Usually this will mean the one email address that corresponds directly the stream, but it is also possible for the stream to do something different.

Distribution Groups

This allows for multiple email addresses to be associated with a single stream, so that copy of all messages sent to a stream will be delivered to each of the associated addresses. This can be useful, for example, if you and your coworkers are all associated with the stream for; even though no one user actually has that email address, mail addressed there will be sent to all of you.


Instead of one stream going to many people, streams also allow for multiple addresses to go to the same person. This allows you to be set up with multiple aliases that are able to receive mail, while only having to keep tabs on a single inbox. For example, you could be set up to use and monitor only, but you are could also receive mail for and This can also function on a domain-wide level so that will also receive mail from

Who Makes the Rules?

See diagram: Rule Inheritance

Stream Rules

Along with figuring out how tho route e-mails, streams also contain the rules a set of rules with the highest priority. You will have a varying level of control over how many rules you can adjust depending on what your administrator decides to allow. Unless your administrator decides otherwise, your stream is the only place that you will have any control. This allows you to decide to do something like blocking successfully without affecting any of your peers.

Default Stream

There will be many rules that you do not have specified in your stream, either because you have no need to, or because you are not allowed to access them, so CanIt must look further up the line to figure out what it is allowed to do.

After your stream it will look for any rules that are not yet specified in the default stream for your domain. Depending on how your administrator has things set up, this might be the only stream and you may have control over nothing, but the majority of the time this stream is used to provide rules that the admin thinks are applicable to everyone using your domain unless otherwise specified.

Higher Laws

After this, the structure may be a little bit different depending on the structure of your organization, whether your service is hosted or on-premises, and whether you are managed by a service provider or your own internal IT department. Generally speaking, CanIt will continue drawing from higher and higher up the chain until it reaches the base rules that apply system-wide. If you use our hosted solution these may be rules that apply to thousands of companies with millions of users, or it may be that you are using our CanIt-Pro product and your domain is as high as the chain goes. Regardless, this base set has all rules defined and so, by the time CanIt makes it here it has all of the information it needs to proceed.


At this point CanIt has very specific rules on what it will and won't let through and now it has to enforce them. There are a lot of things for it to check and some forms of scanning can be a lot of work for the servers running CanIt, so it tries to save itself as much trouble as possible by scanning as little as possible. It does this first by checking for certain exceptions like a whitelist that tells it to let the message through no matter what, or a blacklists that tells it to throw away the message no matter what. These are powerful tools that often only your administrator will have access to. If your administrator does allow you to use these tools, be aware of the following:

  • Spammers rarely use the same address twice, so a blacklist is not generally very effective. These rules are mostly effective for blocking junk-mail like e-retailer newsletters that always come from the same address, but which have a tedious unsubscribe process.
  • Spammers will occasionally spoof the address of trusted senders, or will propagate mail from a trusted machine which can lead to obvious spam making it through, supposedly from a legitimate sender. This is uncommon, but you need to be aware that spam can easily make it through if that person claims to be on your whitelist.

Once this is done CanIt will scan for a huge number of spam indicators, including checking for a reputable sender, checking the frequency of spammy keywords in the body of the message, checking for malicious attachments, checking to see if it was sent from where it claims to be sent from and much more. These will all attempt to limit the number of e-mails that are able to make it to the inbox.

On the other hand, CanIt also provides tools and performs checks to help save valid emails. This checks many of the same factors including senders, place of origin, keywords and so on but with the intention to keep friendly emails from being misidentified.

The combinations and specificity of these rules are endless. A stream can be set up with hundreds of rules to identify broad ranges of emails, while it also could have a single specific rule that says absolutely never accept a message from any of Billy's 3 addresses with a subject containing the word 'funny' or an attachment with the file extensions .jpg or .png.

Where Does it All Go?

After all the scanning is done the mail will have either failed an absolute rule and will have been rejected completely, or it will have been given a score. This score is a summed total of all of the different tests that it has gone through. It may have gotten 2 points for having suspicious sounding words, 1 point for using a fake email address and 3 points for originating from Tanzania, for example. This score is then compared against a few thresholds.

Your Inbox

If it is lower than the spam threshold it is passed on to your inbox. We recommend a spam threshold of 5 points and highly discourage anyone from adjusting this by more than about 0.2 points at a time. Even this much change higher will often result in a significant amount of spam getting through, since a lot of mail will only fail one test and several tests allot exactly 5 points.

Our example message scored 6 points and so it failed the spam test and will not be allowed in to your inbox. This means it will proceed to the next check.

Your Quarantine

The next threshold is a little more flexible and decides what range of scores to leave as pending in the quarantine. We have this set by default to 2000 so that there is almost never a false-positive, however, this means that most spam will end up in the quarantine as well. Many administrator will set this number somewhere around 20 and so that anything between 5 points and 20 points is deemed to be suspicious, but is not so suspicious as to be immediately rejected. It is these messages that you will generally be concerned about as a CanIt end-user.

Automatic Rejection

If the spam score had been above the quarantine threshold it would have been automatically rejected, but would face one more threshold. This is to see whether it should be completely discarded, or logged as a rejected message. If it is above this threshold there will be no trace of the message left on the system, otherwise your administrator may be able to recover it from the logs.