ANALYSIS OF RECENT SPAM
Recent spam attacks have tended to come from multiple computers (a 'botnet attack'). 
These messages may contain very little in the body of the message, sometimes only an 
attachment. This gives very little content for HC Mailguard to use in spam scoring, and so 
it can get through to the recipient with a spam score of zero.

ICIT plans to take the following actions to modify the behavior of HC Mailguard 
(Proofpoint):

STEP ONE- Activate 'Real-time Black List' quarantine of email.
This should increase effectiveness of HC Mailguard with minimal undesired effects. Effects 
of the change:
1) Proofpoint will automatically quarantine email if sent from an IP address in an RBL list 
on the internet. Such RBL lists have been common for the past few years, and most email 
server administrators are aware of how not to be on them. RBL lists are updated 
continually by a number of different ISPs and domains. In addition, residential and home 
network IPs are typically listed as RBL IPs because home users are not supposed to be 
running mail servers.
2) RBL quarantined mail will appear in user's HC Mailguard digests and can be released. 
Safelisting will not work however, because blockage is based on the sending server's IP 
address, not the sender's email.

Should the modification have an adverse impact on legitimate email exchange, we can 
change back quickly. We will monitor for complaints sent to [log in to unmask] 
for at least a week before going to step two.

STEP TWO- Reject email coming from RBL IP's
Once we ascertain that legitimate email is categorically not coming from computers/
servers on the RBL, we can set Proofpoint to reject connection from those IPs. This will 
reduce total email incoming and reduce the size of user's HC Mailguard digests.

The date of these changes has been tentatively set for Wednesday 8/15/07