How Does CanIt Work?
- Main article: Quick Start Guide
CanIt has a complex set of rules and settings that allow for very fine-tuned control over the processing of mail. This sub-article discusses the main concepts in how this is done.
The options within this guide may or not apply to you, depending on your version of CanIt and how it has been set up by the e-mail administrator. If you can't find something as described but think that you need it, consult your administrator; there may be a reason that you don't have it.
What is a Stream?
When mail arrives, CanIt will look up the address and find that it is associated with a stream. Each addresses usually has a unique stream unless your administrator has it configured otherwise. The stream associated with your email address contains the most important set of rules for all mail sent to you. Streams also allow for situations where addresses and inboxes do not have a one-to-one relationship.
One Address to Multiple Recipients
CanIt keeps the original receiver address intact and so if your organization is set up with user groups, these will generally be given their own streams and will allow for regular delivery on the back-end. In some systems these are referred to as distribution groups and will allow you and your coworkers to all receive mail for firstname.lastname@example.org even though no one user actually has that email address.
Multiple Addresses to One Recipient
Instead of one stream going to many people, multiple addresses can also be set up to a use a single stream. This allows you to use a single set of rules and settings to process mail for multiple email addresses, as well as to maintain a single quarantine that hold mail for all of them. This can be done in two ways:
- All mail can be delivered to the original recipient address (See Preferences->My Addresses in the WebUI) while sharing the same stream.
- Mail for secondary addresses can be rewritten to the primary address and will be delivered there instead (See Preferences->Aliases in the WebUI).
An administrator can also set this up to function on a domain-wide level so that email@example.com will also receive mail from firstname.lastname@example.org in either of the methods above.
Who Makes the Rules?
You will have a varying level of control over what types of rules you can create and modify depending on what your administrator decides to allow. Unless your administrator decides otherwise, your stream is the only place that you will have any control. This allows you to decide to make rules that will impact the flow of your own mail without impacting any of your co-workers. These are also the highest priority rules, so what you say will be honoured. This is also why your admin might limit what types you can use.
CanIt will also look higher up for extra rules that do not conflict with your own. These can be rules that apply to all users in your organization, all users within the entire CanIt implementation or some subset in between. Regardless of the structure, the most specific rule that you inherit from directly will always be used.
- See diagram: Rule Inheritance
At this point CanIt will have very specific rules unique to your needs that will use to determine what happens to your mail. There are a lot of things for it to check and some forms of scanning can be a lot of work for the servers running CanIt, so it tries to save itself as much trouble as possible by only scanning what it has to. It does this first by checking for certain exceptions like a whitelist that tells it to let the message through no matter what, or a blacklists that tells it to throw away the message no matter what. These are powerful tools that often only your administrator will have access to. If your administrator does allow you to use these tools, be aware of the following:
- Spammers rarely use the same address twice, so a blacklist is not generally very effective. These rules are mostly effective for blocking junk-mail such as e-retailer newsletters that always come from the same address, but which have a tedious unsubscribe process.
- Spammers will occasionally spoof the address of trusted senders, or will propagate mail from an infected machine that may belong to a trusted sender which can lead to obvious spam making it through due to a whitelist.
It will then scan for things like viruses and other indicator that will disqualify the message immediately.
It will then go through a large number of other tests looking at all aspects of the header, body and attachments in the message. This includes content analysis, links, keywords, sending machines, sending domains, file types (including those in archives), Microsoft Office Macros, scripts inside PDFs, machine authenticity techniques (SPF, DKIM and DMARC), reverse DNS records, and various other characteristics.
Where Does it All Go?
After all the scanning is done the mail will have done one of 3 things:
- Failed an absolute rule and will have been rejected (or discarded)
- Passed an absolute rule and will have skipped all other checks and been delivered.
- It will have been given a score indicating how spammy CanIt thinks the message looks.
In the third case, CanIt then uses 3 thresholds to determine where the message should go based on that score.
If it is lower than the quarantine threshold (S-300) it is passed on to your inbox. We recommend a spam threshold of 5 points and highly discourage anyone from adjusting this by more than about 0.2 points at a time. Even this much change higher will often result in a significant amount of spam getting through, since a lot of mail will only fail one test and several tests allot exactly 5 points.
Your Pending Messages
If it is higher than the quarantine threshold then it will be compared to the reject threshold (S-100). If it is lower than this threshold then it will be held in the pending quarantine. It is these messages that you will generally be concerned about as a CanIt end-user. You may receive regular reports alerting you to these trapped messages or may have access to them in the WebUI. It is also possible that you map never see these messages and that you administrator may monitor this list for you.
If it is higher than the reject threshold it is then compared to the discard threshold (S-200). If it is lower than this threshold then it will be put into the Spam quarantine (Quarantine->Spam in the WebUI). You will generally not notice these messages unless you have access to the WebUI and you specifically go looking for them. They will not show up in notifications but are still recoverable if necessary.
If it is higher than the discard threshold it will be tossed out and there will not be recoverable. The only thing that remains of it is a log entry so that an administrator can find out what happened to it if necessary.
- Continue to: CanIt User Essentials