How email filtering works

Last updated: October 10, 2022
Audience: All UW

Protecting the University’s email is a multi-layered process, in which each incoming message is analyzed multiple times before it reaches your mailbox.  Those messages that can be definitively identified as spam, phishing, or malware-laden are blocked in the infrastructure.  The rest of the messages are sent on to your mailbox provider where they may be analyzed further, before arriving in your mailbox where you may apply additional rules and filtering

Proofpoint Enterprise Protection

To protect University of Washington from virus attacks and to protect you from receiving hundreds of spam messages, all incoming email is filtered by Proofpoint, one of the leading companies in email security and filtering. UW has implemented Proofpoint to provide a next-generation email security and filtering system to protect our mailboxes from spam, viruses, malware, phishing scams, and other unwanted messages.

How does email filtering work?

All incoming (and outgoing) email is filtered by the Proofpoint Protection Server. Depending upon Proofpoint Protection Server rules and policies, messages that contain a virus, or spam, or inappropriate content can either be blocked or “flagged” as suspected spam.  Suspected spam and all the other messages that weren’t blocked outright are sent on to your mailbox provider, such as UW Exchange, UW Google, or a personal provider like Outlook.com, where the provider may apply additional filtering before the message reaches your mailbox.  Your mailbox is the final layer of defense, where you can apply additional filtering should you choose, including the option to “turn on spam filtering” by creating a rule that uses data we apply to the message headers for suspected spam.

How do we identify junk mail?

We rely on a combination of locally maintained rules and the detection system provided by Proofpoint.  The detection system is regularly updated by Proofpoint to improve its effectiveness and deal with changes in the characteristics of junk email over time. Proofpoint uses a few key techniques for spam identification:

Reputation-Based Analysis: Attempts to stop spam or allow legitimate email by filtering out known spammers or approving trusted senders based on reputation databases. Reputation analysis looks at the domains, URLs, and IP addresses associated with each message and compares them to lists of known threats or trusted sources.

Content Analysis: Offers the ability to block an email based on the content of the message. For example, if a message contains certain words, the content filter may determine that it is spam. Another example is if the message contained an attachment that’s determined to be malicious and thus the message would be blocked.  Content analysis systems are constantly learning and evolving to improve their effectiveness against the latest techniques used by bad actors to send spam and malicious content.

Spam detection is not a clear-cut process, particularly in our environment, thus some messages may be mis-classified.  As an example, you may choose to receive marketing email from a company, however that same company may also send email to people who did not choose to do so. This may result in the messages being blocked as spam, so it’s important to periodically check your junk-mail or spam folder.  Conversely, messages may clearly appear to be spam but have been missed by the detection, and thus delivered to your mailbox.

Viewing the spam flag on a message

When Proofpoint reviews a message, it adds additional lines to the message header. With most email programs, this small change will not be evident when you view the message because they usually show only a few header lines, like Date; To; From; and Subject.

If a message has been identified as suspected spam, then special lines are added to the hidden headers of the message.  If you would like to see the header lines containing the spam flag, you’ll need to have your email client program display the full details of the message headers. How that is done depends on which email client you use. Here is an example of what you might find:

X-Uwash-Spam: Gauge=XXXXX
X-UWash-Reason: SuspectedSpam

Using the suspected spam flag of a message

The “Gauge=XXXXX” denotes messages that we suspect to be spam, but that we aren’t quite certain about.  You can use either of the above headers to create a rule to filter suspected spam to your junk folder.

UW Google and UW Office 365 hosted mailboxes use these ratings automatically, so there is no need to create your own rules if you have selected them as your email provider. In other systems, how you create a rule to use the suspected spam flag will entirely depend on which email service and mail client you are using.