How Does CanIt Work?

From Roaring Penguin
Revision as of 14:50, 23 July 2015 by MCoyne (talk | contribs)

Jump to: navigation, search
Main article: Quick Start Guide

CanIt has a complex set of rules and permissions that allow for very fine-tuned control over the processing of mail. This sub-article discusses the main concepts in how this is done.

Please Note

The options within this guide may or not apply to you, depending on your version of CanIt and how it has been set up by the e-mail administrator. If you can't find something as described but think that you need it, consult your administrator; there may be a reason that you don't have it.


When mail arrives, CanIt will look up the address and find that it is associated with a stream. Each addresses usually has a unique stream unless your administrator has it configured otherwise. The stream associated with your email address contains the most important set of rules for all mail sent to you. Streams also allow for situations where addresses and inboxes do not have a one-to-one relationship.

One Address to Multiple Recipients

CanIt keeps the original receiver address intact and so if your organization is set up with user groups, these can also be managed with its own stream. In some systems these are referred to as distribution groups and will allow you and your coworkers to all receive mail for even though no one user actually has that email address.

This functionality is also available directly through CanIt with a feature we call streaming, which will rewrite the incoming address of with a list of the streams that it should go to.

Multiple Addresses to One Recipient

Instead of one stream going to many people, multiple streams can also be set up to a single inbox. This allows you to be set up with multiple email addresses while still being able to keep tabs on a single inbox. An advantage to this over traditional aliases is that the receiving address is left intact so you can sort them by the receiving address in your mail reader. You can also apply different rules to the various addresses that you accept mail from. For example, you could be set up to use and monitor only while also receiving mail for and You could also set two of the streams to block all office memos so that only one copy ever makes it through to your inbox. This can also function on a domain-wide level so that will also receive mail from

Who Makes the Rules?

See diagram: Rule Inheritance

Stream Rules

You will have a varying level of control over how many rules you can adjust in your stream depending on what your administrator decides to allow. Unless your administrator decides otherwise, your stream is the only place that you will have any control. This allows you to decide to do something like blocking successfully without affecting any of your peers.

Default Stream

There will be many rules that you do not have specified in your stream, either because you have no need to, or because you are not allowed to access them, so CanIt must look further up the line to figure out what it is allowed to do.

After your stream it will look for any rules that are not yet specified in the default stream for your domain. Depending on how your administrator has things set up, this might be the only stream and you may have control over nothing, but the majority of the time this stream is used to provide rules that the admin thinks are applicable to everyone using your domain unless otherwise specified.

Higher Laws

After this, the structure may be a little bit different depending on the structure of your organization, whether your service is hosted or on-premises, and whether you are managed by a service provider or your own internal IT department. Generally speaking, CanIt will continue drawing from higher and higher up the chain until it reaches the base rules that apply system-wide. If you use our hosted solution these may be rules that apply to thousands of companies with millions of users, or it may be that you are using our CanIt-Pro product and your domain is as high as the chain goes. Regardless, this base set has all rules defined and so, by the time CanIt makes it here it has all of the information it needs to proceed.


At this point CanIt has very specific rules on what it will and won't let through and now it has to enforce them. There are a lot of things for it to check and some forms of scanning can be a lot of work for the servers running CanIt, so it tries to save itself as much trouble as possible by scanning as little as possible. It does this first by checking for certain exceptions like a whitelist that tells it to let the message through no matter what, or a blacklists that tells it to throw away the message no matter what. These are powerful tools that often only your administrator will have access to. If your administrator does allow you to use these tools, be aware of the following:

  • Spammers rarely use the same address twice, so a blacklist is not generally very effective. These rules are mostly effective for blocking junk-mail like e-retailer newsletters that always come from the same address, but which have a tedious unsubscribe process.
  • Spammers will occasionally spoof the address of trusted senders, or will propagate mail from a trusted machine which can lead to obvious spam making it through, supposedly from a legitimate sender. This is uncommon, but you need to be aware that spam can easily make it through if that person claims to be on your whitelist.

Once this is done CanIt will scan for a huge number of spam indicators, including checking for a reputable sender, checking the frequency of spammy keywords in the body of the message, checking for malicious attachments, checking to see if it was sent from where it claims to be sent from and much more. These will all attempt to limit the number of e-mails that are able to make it to the inbox.

On the other hand, CanIt also provides tools and performs checks to help save valid emails. This checks many of the same factors including senders, place of origin, keywords and so on but with the intention to keep friendly emails from being misidentified.

The combinations and specificity of these rules are endless. A stream can be set up with hundreds of rules to identify broad ranges of emails, while it also could have a single specific rule that says absolutely never accept a message from any of Billy's 3 addresses with a subject containing the word 'funny' or an attachment with the file extensions .jpg or .png.

Where Does it All Go?

After all the scanning is done the mail will have either failed an absolute rule and will have been rejected completely, or it will have been given a score. This score is a summed total of all of the different tests that it has gone through. It may have gotten 2 points for having suspicious sounding words, 1 point for using a fake email address and 3 points for originating from Tanzania, for example. This score is then compared against a few thresholds.

Your Inbox

If it is lower than the spam threshold it is passed on to your inbox. We recommend a spam threshold of 5 points and highly discourage anyone from adjusting this by more than about 0.2 points at a time. Even this much change higher will often result in a significant amount of spam getting through, since a lot of mail will only fail one test and several tests allot exactly 5 points.

Our example message scored 6 points and so it failed the spam test and will not be allowed in to your inbox. This means it will proceed to the next check.

Your Pending Messages

The next threshold is a little more flexible and decides what range of scores to leave as pending in the quarantine. We have this set by default to 2000 so that there is almost never a false-positive, however, this means that most spam will end up as pending messages as well. Many administrator will set this number somewhere around 20 and so that anything between 5 points and 20 points is deemed to be suspicious, but is not so suspicious as to be immediately rejected. It is these messages that you will generally be concerned about as a CanIt end-user.

Automatic Rejection

If the spam score had been above the quarantine threshold it would have been automatically rejected, but would face one more threshold to see if it should be kept. If it is above the threshold the message will be deleted and the only trace of it will be some log entries about it coming in that your administrator may be able to find if given a good description.

Continue to: CanIt User Essentials

Quick Start Guide