CaTS | Information Technology

Email Security

photo of a student looking at a phone

On this page:

Anti-Spam Service (Proofpoint)

Unsolicited commercial email, also known as spam, has become an increasing problem at the university. To reduce the amount of time involved with managing spam, CaTS is now offering a new anti-spam service called Proofpoint, which is available to faculty, staff, students, and alumni with CaTS based email accounts (@wright.edu). Proofpoint provides the most sophisticated spam evaluation system, and has very few errors when determining whether or not a message is spam. Check out the FAQs below for more information on Proofpoint and how to use it. You can also view the document below for a quick overview of using the service.

Proofpoint User Cheat Sheet (PDF)

Frequently Asked Questions

General Questions

  • What is spam?

    Email spam, also known as unsolicited bulk email (UBE) or unsolicited commercial email (UCE), is the practice of sending unwanted email messages, frequently with commercial content, in large quantities to an indiscriminate set of recipients (Definition copied from the spam entry on wikipedia.com).

  • What is Proofpoint?

    Proofpoint is a spam blocking service that inspects all incoming messages to the university and uses rules to determine whether or not a message is spam. Once examined, legitimate messages are sent on to the recipient's inbox, while suspected spam is quarantined. Each morning, users receive an email, called the End User Digest, that contains links to each of the quarantined messages. The digest allows the user to further manage their junk email. The success rate of spam blocking is very high with Proofpoint.

  • Why Use Proofpoint?

    After evaluating numerous anti-spam products, Wright State found that Proofpoint was the most successful at blocking spam entering the university's email system. It also had the fewest amount of errors when determining whether or not an email is spam.

  • How does Proofpoint work?

    All incoming and outgoing email is filtered by the Proofpoint Protection Server. Depending upon Proofpoint Protection Server rules and policies, messages that contain a virus or inappropriate content can either be deleted or "scored." In the case of spam, the message score indicates the probability that the message is spam. So, a message scoring 100 would have a 100% chance of being spam (definite spam) and a message scoring 0 would have 0% chance of being spam. Messages scoring high enough to probably be spam are quarantined by the system. You can find the "score" of a message under the Score column in the End User Digest.

General Usage

  • How do I access Proofpoint?

    If you want to log in to Proofpoint to change setting and view quarantined messages, follow the steps below:

    • Open your web browser (Chrome, Firefox, Internet Explorer, Safari, etc.)
    • Go to the website https://antispam.wright.edu
    • Login with your campus username and password


    Below is a screenshot of the Proofpoint login screen.

    screen capture of the proofpoint login screen

  • How do I enable Proofpoint's spam filter?

    By default, Proofpoint's spam filter is already enabled for all faculty, staff, students, and alumni.

  • Can I disable or opt out of Proofpoint's spam filter?

    Although not recommended, you can disable, or opt out of, Proofpoint's spam filter. To do so, follow these steps:

    1. Login to the Proofpoint system, located at https://antispam.wright.edu, with your campus username and password.
    2. Click on the Profile button on the left side of the screen.
    3. On the right, you'll find the My Settings area.
    4. Under the option for What type of spam detection do you want? choose the Opt out of spam filtering option.
    5. Click the Save button at the bottom to save your changes.
  • Can I choose what happens to my mail?

    Yes, you can! The Proofpoint system has various ways that allow you to choose what to do with the spam that comes to your account. Below is a screenshot of the My Settings screen (accessed after you login to the spam filter at https://antispam.wright.edu). The screen shows six ways you can select to choose what happens to your mail. Below the screenshot, each option is explained.

    screen capture of the my setting screen

    • Default - This is the Proofpoint default spam policy that comes pre-configured.
    • Opt out of spam filtering deliver all messages. - Choose this option if you want all spam messages delivered to your inbox, without any option of quarantines.
    • Discard definite spam (messages scoring 100 points) - Choose this option if you want Proofpoint to automatically discard any messages it marks with a 100 point score (see "How does Proofpoint work?" above for an explanation of scores).
    • Quarantine disabled. Add SPAM tags to subject line. - Choose this option if you want all spam delivered to your inbox, but still be tagged. Your messages will be tagged with either "Spam", "Phish", or "Adult" in the subject line.
    • Vacation Policy. Spam quarantined for 4 weeks. - If you like to view what spam has been quarantined in your inbox, but you're going to be away for more than 2 weeks, choose this option so that all spam will be quarantined and left alone for 4 weeks, instead of the normal 2 weeks.
    • Global Spam Policy - This is another default option that WSU faculty, students, staff, and alumni may choose. You may also choose the "Default" option, which provides the same amount of spam protection.

     

End User Digest

  • What is an End User Digest?

    An End User Digest is a summary e-mail that you receive daily from the Proofpoint server. The digest contains a listing of the suspected spam that has been filtered from your account in the previous 24 hours. After review, you can delete the digest just like any other email. Messages left in quarantine will be deleted automatically by Proofpoint after 14 days. See the screenshot below for a sample End User Digest.

    screen capture of the end user digest screen

  • Can I disable digest messages?

    Yes, digest messages can be disabled. Your daily digest email contains a link called Manage My Account. Click this link, and then select the Settings button on the left side. You will now be on the My Settings page. To disable the digest only when there are no spam message in your quarantine, uncheck the box at the top for Send digest even when I have no messages in my End User Digest. To disable the digest even when you have messages in your quarantine, uncheck the box at the top for Send digest with new messages in End User Digest.

  • Can I request a digest at any time?

    You can request a digest at any time by clicking the link for Request New End User Digest within your current End User Digest email. A new digest will be sent to your email address, showing any new messages that have been quarantined since your last digest was sent.

  • How often is the digest delivered?

    The End User Digest is delivered to your email inbox at 7 a.m. each morning.

  • Why didn't I receive a digest today?

    If Proofpoint does not block or find any spam messages for your inbox within a 24 hour period, you will not receive an End User Digest.

Lists

  • What are safelists and blocklists?

    Safelists are lists of email addresses (usually defined by the user) that tells the anti-spam system to deliver any message that comes from those particular addresses directly to the user's inbox. Blocklists are lists of email addresses (usually defined by the user) that tells the anti-spam system to quarantine any message that comes from those particular addresses.

  • How do I add or remove addresses to/from a safelist?

    To add a sender to a safelist, follow these steps:

    1. Login to the Proofpoint system, located at https://antispam.wright.edu, with your campus username and password.
    2. Click on the Lists button on the bottom left side of the screen.
    3. Click on the Safe Senders List on the left side.
    4. On the right side, at the very top, click the New button.
    5. In the box, type in the sender's address, or, if you'd like to make an entire domain safe, type in the domain in the format of "@domain.com." See the screenshot below.
    6. Click the Save button.

    screen capture of the safe senders list screen

  • How do I add or remove addresses to/from a blocklist?

    To add a sender to a blocklist, follow these steps:

    1. Login to the Proofpoint system, located at https://antispam.wright.edu, with your campus username and password.
    2. Click on the Lists button on the bottom left side of the screen.
    3. Click on the Blocked Senders List on the left side.
    4. On the right side, at the very top, click the New button.
    5. In the box, type in the sender's address, or, if you'd like to block addresses from an entire domain, type in the domain in the format of "@domain.com." See the screenshot below.
    6. Click the Save button.

    screen capture of the blocked senders list screen

Managing Your Account

  • What features are available to manage my account?

    Within the End User Digest email, there are links available that let you quickly access other features of your account. These options, listed above and to the right of the message listings, are described below.

    • Request New End User Digest - This option allows you to request an updated version of your End User Digest, which will list any new messages that have been placed in the Quarantine since your last Digest was sent.
    • Request Safe/Blocked Senders List - This option allows you to request a listing of senders on your Safe and Block lists. The Proofpoint server will send this listing via email.
    • Manage My Account - This option provides you with a quick link to the Proofpoint server for managing your account profile, lists, and other options
  • Why do I have to login to Proofpoint when clicking a link from within my End User Digest email?

    Although the End User Digest shows the messages that are in your quarantine, the email is not directly connected to your quarantine area on the Proofpoint server. For security reasons, you must still log on to the Proofpoint server when going to it from the End User Digest.

Managing the Spam Filter

  • What do I need to do to monitor spam using Proofpoint?

    Generally, there isn't much that you'll need to do to monitor spam filtering through Proofpoint. By default, spam filtering is turned on, and predefined levels are already set. However, you can do a few things to make sure you stay on top of what Proofpoint is filtering as spam.

    1. Open the End User Digest e-mail that you receive each day and review the listing of messages that were marked as spam.
    2. If any messages you find are not spam, click the Release or Safelist links to release the message to your inbox, and if applicable, add the sender to your safelist.
    3. If all messages are spam, you can simply delete the End User Digest email.
  • Can I block foreign languages?

    You cannot block foreign languages. The Proofpoint systems uses a large number of variables to determine whether a message is spam, and these variables are far more effective than simply blocking foreign languages.

  • How do I unjunk a message that isn't spam?

    When you receive a copy of your End User Digest, and find that there is a message marked as spam that you would like to unjunk, you can do so by using the tools listed beside each message. These tools are described below.

    • View link - The View link allows you to open the email from within the Proofpoint server so that it can be safely read. You can then determine whether or not the message is spam.
    • Release link - The Release link releases the email from the Proofpoint quarantine and delivers it to your inbox.
    • Safelist link - The Safelist link releases the email into your inbox and places the sender on a safelist so that subsequent emails from the sender arrive in your inbox.
    • Not Spam link - The Not Spam link releases the email into your inbox and sends a notification to Proofpoint indicating that the email was not spam. Future message that are similar to the message will not be filtered as spam.

Quarantine

  • What is the Quarantine?

    The Quarantine is a location on the Proofpoint server where email messages that are suspected to be spam are stored temporarily so that they can be reviewed and retrieved, if necessary, by the user. You may review and take action on your quarantined email through the End User Digest, or through the Quarantine option located on the left side of the screen after logging into the Proofpoint Server. Messages left in the Quarantine will be deleted automatically after 14 days.

  • Do quarantined messages count against my quota?

    Quarantined messages do not count toward your e-mail quota. They are stored separately on the WSU Proofpoint server.

  • How do I delete messages from my quarantine or digest?

    There is no need to delete messages that have been quarantined, since the Proofpoint system automatically deletes them after 14 days.

 

Email Scan Alerts (Phishing)

Points to Remember

  • CaTS will never ask you for your account information (username or password) in an email.
  • If an email is difficult to read (poor grammar or wording), it is most likely a scam.
  • If you receive an email about a problem with your account, do not click on any links or provide your username and password. Go directly to the site and log in.
  • Do not follow any link in an email coming from an unknown source.
  • Banks, credit unions, and other financial institutions will never ask for your account information in an email.

Recently there has been a large number of phishing attempts targeting Wright State University students, faculty, and staff. These attempts appear in the form of an email sent to a university inbox, and tries to get the user to "verify account information" by sending their CAMPUS username and password in an email, or clicking on a link within the email.

CaTS has developed this page to provide you with tips on how to keep your information safe from phishing attempts, and to alert you to any attempts you may see in your inbox. Please take a moment to review the "Points to Remember" section on the right for tips on how to protect your account information. Then, review the examples below showing the many recent scams targeting Wright State. If you receive an email that looks like any of these, do not reply to it or click on any of the links in the message.

If you have reviewed the information on this webpage and are still unsure as to the authenticity of an email you have received, please do not hesitate to contact the Help Desk at 937-775-4827 or 1-888-775-4827, or by email at helpdesk@wright.edu. We will help in any way we can to validate the email you've received.

Email Bombing/Flooding

Recently CaTS has noticed an increase in Wright State members who are targets of an IT security incident called 'email bombing'.

What is email bombing?

Email bombing is when an attacker registers your email address with hundreds or thousands of mailing lists.

Why was I targeted for email bombing?

The most likely reason someone is doing this to you is because they are trying to hack your account or overwhelm your inbox with messages so that you don't notice an important email about fraudulent activity. People who deal with financial data are more commonly targeted.

A lot of the emails I am getting have an unsubscribe button. Should I click it?

In general, we don't recommend trying to unsubscribe from mailing lists. Most reputable services that do mailings, won't email more than once unless you have confirmed your subscription. Less reputable services may unsubscribe you, but then sell your address to other services.

Can CaTS, Microsoft, or Google block these emails from being sent to me?

Unfortunately this is difficult because the attacker is not directly emailing you. Instead, the attacker is likely using a bot network of hundreds/thousands of IP addresses that are browsing to legitimate websites, entering your email address, and signing you up to receive a newsletter. Some people want to receive some of these newsletters so we cannot globally block them. We cannot block the emails based on the sender's IP address because they are coming from a legitimate newsletter website. We can block the emails based on keywords in the sender address, subject, or body of the email but we run the risk of blocking legitimate emails if we get the filters wrong.

Can I set up an email filter for these messages?

Below is an example of an Office 365 Inbox Rule that can be applied to your Wright State email during, and after, an email bombing attack:

During an Email Bombing Attack

During the attack, you can set up a filter in Office 365 to move all emails sent from a specific address or domain to a singular folder, such as an 'External Mail' folder. This will keep your main Inbox free of these messages until the initial attack subsides:

  1. Log in to outlook.wright.edu using your Campus 'w' username and password
  2. Click on the gear icon in the top righthand corner, and click View all Outlook settings at the bottom of the menu
  3. Click on Mail > Rules > Add new rule
  4. Enter a name for the rule (ex.: Permit message to inbox) and set the condition to Apply to all messages
  5. Set the action to Move to, and then select the folder you would like the spam messages to be filtered into
  6. Add an exception to this rule to permit 'legitimate' emails from being filtered; CaTS recommends filtering by the sender domain, such as @wright.edu
  7. Click Save

After an Email Bombing Attack

Once the initial attack begins to subside, CaTS recommends disabling the Office 365 filter and using the Block Sender functionality to address any additional messages you may receive. 

Disabling a Filter in Office 365

  1. Log in to outlook.wright.edu using your Campus 'w' username and password
  2. Click on the gear icon in the top righthand corner, and click View all Outlook settings at the bottom of the menu
  3. Click on Mail > Rules
  4. Click on the radio button next to the rule you want to disable, and click Save

Block a Sender in Office 365

  1. Log in to outlook.wright.edu using your Campus 'w' username and password
  2. Right-click on the spam message in your Inbox, and select Block > Block sender

Targeted Attack Protection

CaTS has implemented an email protection program from Proofpoint called Targeted Attack Protection (TAP). TAP helps protect against emails that contain malicious URLs and attachments, and has been implemented as an enhancement to our existing spam filtering service.

TAP URL Defense

With TAP, all URLs in an email message are rewritten as "proofpoint.com" addresses. When a user clicks a URL in an email message, the URL is redirected to Proofpoint's URL validation service. If the URL is not known to be malicious, the user will be redirected to the original URL. If the URL is malicious, the user will see a warning message and the site is blocked in the browser.

When a malicious URL is clicked on, the image below will appear: 

screen capture of the web site has been blocked pop up

If you click a URL and believe that the site is being blocked in error, call the CaTS Help Desk at 937-775-4827, or email helpdesk@wright.edu. The blocked URL will then be investigated further.

TAP Attachment Defense

Along with TAP URL defense, CaTS has now implemented TAP Attachment Defense from Proofpoint. This system detects an email that contains a malicious attachment and strips the attachment to prevent phishing and targeted malware attacks. If you receive an email containing an infected attachment, Proofpoint will filter out the email to protect your account from being compromised. Please be aware that while the attachment is being analyzed for malicious content, there may be a delay in delivery of a few minutes.

This enhancement to TAP is being implemented to our existing spam filtering service. If you have questions about TAP, call the CaTS Help Desk at 937-775-4827, or email helpdesk@wright.edu.

Email Security Alerts

Notification of Non-University Sponsored Retirement Message

Friday, January 6, 2023

The CaTS Help Desk was recently made aware that yesterday afternoon a large number of Wright State faculty, staff, and students received an email from an Alexa Brown at Retirement Expert with a subject line of ‘Retirement And Pension Meetings for Wright State University Employees’ indicating eligibility to receive a free consultation for retirement benefits. Please be aware that this message originated from a third-party organization that is NOT affiliated with Wright State University.

Important Information Regarding 'Email Bombing'

Tuesday, January 3, 2023

Recently CaTS has noticed an increase in Wright State members who are targets of an IT security incident called 'email bombing'.

What is email bombing?

Email bombing is when an attacker registers your email address with hundreds or thousands of mailing lists.

Why was I targeted for email bombing?

Quarterly Security Update: Fall 2022

Monday, November 14, 2022

Quarterly Security Update: Two-Factor Authentication Exploits