FAQ

Why did I receive a "[SUSPICIOUS MESSAGE]" email?

Inbound phishing message attempts have reached epidemic proportions on campus.  In an effort to raise user awareness about these and other threats, a new filter has been implemented on the IronPorts.  When a message arrives it will be interrogated, and if the content appears to contain threats as identified by the Cisco IronPort appliance, the following actions will be taken:

  • The message will be quarantined for no longer than four hours (this gives time for the appliance signature files to be updated)
  • The subject line is prepended with the phrase [SUSPICIOUS MESSAGE]
  • The body of the message is prepended with 
    • Text warning the users that the message may be a potential threat
    • If a URL is present, it will be prepended with a Cisco link, asking if the user trusts the site (see examples below)

It is important to note that the new filtering may identify messages that users may consider being legitimate, e.g., all financial messages with URLs will be flagged as suspicious.  Again, this is to raise user awareness that they should not arbitrarily click on links and divulge confidential information such as user account information or any other confidential personal or university information.

Exhibit A:  Valid message trapped as phishing.  Warning user to only take action if they can verify its integrity:

IronPort Suspicious Message

Exhibit B:  What user is presented after clicking on the URL link:

IronPort Suspicious Message

Why did I receive an "IronPort Spam Quarantine Notification" email?

The reason you received an IronPort Spam Quarantine Notification message is because the UMB Campus anti-SPAM filter has received an email addressed to you, and it suspects that the message may be SPAM email. 

The purpose of this system is to reduce the amount of unsolicited SPAM received in your Inbox.  Please follow the link in the notification email message to review the email messages quarantined by IronPort.  At times legitimate email messages may be quarantined.  Users have the ability to release these messages from quarantine and add the sender to a Safelist.

Why am I receiving multiple IronPort quarantine notification emails?

The IronPort system will generate a quarantine folder for each email address that receives SPAM email.  

Even though you may use a primary address such as auser001@umaryland.edu, you may also have a secondary address such as auser@school.umaryland.edu that delivers email to the same inbox.  You may also be part of an email distribution list that has received SPAM or potential SPAM email. 

When you access the email quarantine, check the upper-right corner of the page to see which email address IronPort is quarantining messages from.

I received a Quarantine Notification message, but when I checked the quarantine, it was blank. What happened to the messages that were quarantined?

It is possible that IronPort quarantined an email message sent to a distribution list.  The corresponding Quarantine Notification was also sent to that distribution list’s email address, which is then received by all the members of the distribution list.

When you access the email quarantine, check the upper-right corner of the page to see from which email address IronPort is quarantining messages. 

If it was sent to a distribution list, it is possible that another member in that list has already checked and either deleted or released the messages in quarantine.

How long does the IronPort system keep emails in quarantine?

14 days or until the email is released or deleted, whichever comes first.

Can I retrieve an email once it has been deleted from quarantine?

No.  Once emails have been deleted from quarantine, they cannot be retrieved.

Can I increase the number of emails or domains I can block or allow?

No.  Users are only allotted 500 entries to use in either their Safelist or Blocklist. 

We suggest mainly using these entries for your Safelist.  Spammers will often change the email address they are using to send SPAM, or spoof the email address they are using.  As a result, adding an email address to your ‘Blocklist’ may not stop future SPAM.

How do I 'turn off' IronPort scanning on my email account?

The IronPort Safelist cannot be set to allow all messages through its scan for a specific account.

The level of SPAM email filtering is set by the Email Administrators for each email domain on campus.  If you believe that the SPAM filtering level for your email domain is too strict or lenient, please contact your Email Administrator.

What should I do if I receive SPAM in my Inbox?

Occasionally, the IronPort System may not block a SPAM email message and that message will be delivered to your email Inbox.  If you receive an unsolicited email in your Inbox, first determine whether it is SPAM email or just a bulk email message from a legitimate vendor. 

If you have determined that a message is unsolicited SPAM email, send that message as an attachment to spam@umaryland.edu.  Do not forward the message or just the email headers.  The system administrators need to see the entire SPAM email in its original format. 

If you receive multiple and continuous SPAM messages from a specific email address or domain, you may want to add that email addresses to your Blocklist manually. (Instructions on how to block an email address).  Please note that spammers will often change the email address they are using to send SPAM, or spoof the email address they are using.  As a result, adding an email address to your ‘Blocklist’ may not always stop future SPAM.

I am getting undeliverable error messages for messages I did not send! What is happening?

Most likely your email address has been ‘spoofed’. 

Spoofing an email address is similar to writing a different return address on an envelope.  It appears as though the letter or email was sent from a different address.  When the SPAM message is sent to an invalid email address, you may receive the bounce back error messages stating that a message could not be delivered. 

Spammers can ‘harvest’ email addresses from many different public locations such as public web pages or online directories. Viruses or Spyware can also infect a computer and harvest email addresses from address books stored on that computer.  If you suspect that your computer has a possible virus, download updated virus definitions, run a virus scan, change your email password, and notify your System Administrators.

I am seeing SPAM email from my own 'umaryland.edu' email address! What is happening?

Most likely your email address has been ‘spoofed’. 

Spoofing an email address is similar to writing a different return address on an envelope.  It appears as though the letter or email was sent from a different address. 

Spammers can ‘harvest’ email addresses from many different public locations such as public web pages or online directories. Viruses or Spyware can also infect a computer and harvest email addresses from address books stored on that computer.  If you suspect that your computer has a possible virus, download updated virus definitions, run a virus scan, change your email password, and notify your System Administrators.