Proofpoint Improves Spam Filtering
Spam, malware, and phishing emails reduce productivity and pose an active threat to your privacy, computing devices, and data. University IT's email and security teams work diligently to prevent such messages from reaching your inbox. To that end, we are pleased to announce that we recently transitioned to an improved email filtering system called Proofpoint. This was done in response to the rapidly increasing volume of spam messages that were passing through our email system uncaught. Proofpoint comes highly recommended from Stanford's peer institutions, and it is known for being exceptionally accurate.
The Proofpoint deployment for inbound email began August 28, 2014 and was completed during the first week of September. We will continue tuning the system in earnest for the next couple of months. As email is a critical communication medium, blocking legitimate messages (i.e., "false positives") can be far worse than failing to block spam (i.e., "false negatives"). With this in mind, we are currently only dropping incoming messages scoring at the 100% spam confidence level. Based on guidance from the vendor, we may reduce that to 99% once we have sufficient data to justify it, but probably no further. Those messages scoring in the 50-99% confidence range will be delivered, but with modified subject lines [SPAM:####] that cause them to be automatically sent to your "Junk" folder.
For those who are interested, you can view the full headers of an email message to find the "X-Proofpoint-Spam-Details" header which indicates how Proofpoint scored the message in various categories. To display the full headers in Zimbra, right click on the message in the message list, then select "Show Original." To do the same in Gmail, click on the downward facing arrow at the top right-hand corner of the message and select "Show original."
The Proofpoint solution provides additional features that will be tested in the coming months, including URL re-writing, URL sand-boxing, and attachment sand-boxing. URL re-writing modifies the links in email messages in order to instantly block access to sites that are determined to contain malicious content. The URL and attachment sand-boxing features proactively check web sites and attachments in a controlled environment to identify any malicious content before it reaches your inbox.
Proofpoint also plays an important role in blocking spam sent from compromised Stanford accounts. Commandeered SUNet accounts are frequently used to distribute spam, which can result in Stanford's outgoing email service being "blocklisted." Once blocklisted, legitimate email sent to addresses outside of Stanford may be blocked, and removing ourselves from the blocklist can be a lengthy process. Proofpoint is currently being integrated into the outgoing email flow, replacing the prior anti-spam system.
For advice on detecting phishing messages, please see: