Quarantine subsystem

Dangerous and suspicious mails stopped and filed away

Quarantine
of viruses/spam

Introduction

The quarantine subsystem is an essential feature of all serious spam control products. SpamCheetah is no different. It quarantines potentially dangerous mail and you can clear them when the mailer is sent to your INBOX.

Quarantine feature can be configured by sys admin for frequency of mailers, which mail categories to store in quarantine queue and so on.

You also have the ability to manually flush quarantine of a particular user from the web interface.

First of all a quarantine feature in an email gateway level security product is very similar to the current day COVID quarantine measures by governments or when a space traveler returns to earth. The idea is to minimize damage of a single entity from spreading to multiple places and cause things to spin out of control.

Though borrowed from medical world this terminology is now well entrenched in spam control community and from a technical standpoint it is nothing but a temporary storage for suspicious mail till the time they are manually released using a user click. Usually end users get the choice of deleting a bad mail or delivering a good mail to inbox in case the quarantine system was too prudent.

The usual way by which quarantine mails are stored and cleared is to silently file them away in a separate place/database and alert the end user periodically(weekly,daily or monthly as set in web interface) and then the user can react based on the mail which lists all the mails sent to that user that are in quarantine.

If user does not take action despite getting quarantine mailers the entries filed away are deleted automatically. Or they expire and are purged from storage.

How does quarantine work?

Quarantine is basically mail that is rejected for one of 3 reasons:

And the quarantine report for each user is sent daily, weekly or monthly based on admin's configuration setting. You can also set the report to be sent Never in which no reports are sent.

The quarantine report contains all mails for a particular user held in quarantine queue. The idea of withholding an email from delivering to INBOX due to certain suspicions about the mail is what quarantine is all about.

Once that decision is taken, then the email is kept in a temporary queue which gets cleared if user does not take explicit delete or deliver to inbox actions.

There could be cases where a given user has 0 mails in his quarantine queue when the mailer scheduled job is run and he/she does not receive the quarantine mailer.

Each spam control product implements quarantine feature slightly differently. The main challenge from technology point of view is to deliver the original mail in case it was a false positive. So we preserve headers and all content to send it as if the sender was doing so.

Here is a sample quarantine mail. You can find how a mailer looks from screenshot.

Quarantine user interface

Here is the quarantine web interface for users. This is a web interface that requires no login and this is restricted only to that user's quarantine entries. By avoiding login things are made a wee bit easier for users not to have to remember passwords setup and login. However the link expires in 3 days time.

Quarantine user interface

Here is a sample quarantine report PDF. You can generate this clicking the top right corner of the web interface as admin.

Quarantine report

Here is the sample quarantine report XLS. This can be generated with a mouse action like above. Depending upon your comfort you can choose between any of these formats. Most of the quarantined mails deserve to be trashed but some maybe good hence quarantine. If a mail is known to be certainly bad then SpamCheetah simply drops it usually even before the mail conversation finishes. But when things are not so clear cut then we have to resort to this approach. No other go.

Quarantine report XLS

As you can see from above the report is very similar to the mail metadata report except that in this case there is a field called the reason where we explain why the mail came to be in the quarantine database in the first place.

The quarantine reports may not need to be regularly monitored in case users get their quarantine reports and act on them. If you however set the quarantine mailer to be never sent to end users then you as administrator may need to do some manual action and clear them or deliver them.

The quarantine web interface is a separate web interface that does not require admin user credentials,they are different for each user and no login in required, each user gets a unique link which expire in 3 days time.

Only users with mails in quarantine get the mailer. If you get no mails that are stored in quarantine you won't get any mail from quarantine subsystem.

In case of SpamCheetah the usual causes for mail entering quarantine are based on admin configuring one or more of these conditions.

Can you disable quarantine?

Quarantine is a feature present in both standard and heavyduty editions. It is not possible to disable or turn it off. However you can disable the conditions for quarantine and turn off the mailer. Thereby effectively disabling it.

In case the quarantine mailers are not acted upon then the disk space and database entries may fill up. Hence SpamCheetah has scheduled tasks or cron jobs that regularly check for expired quarantine mail entires every once a day and purge them.

Note that once the license of SpamCheetah expires quarantine features do not work till the license is renewed.

There is nothing explicitly to be configured to enable quarantine feature. It is by default available , you only need to make your preferences known. Sensible default values are given. The default quarantine mailer frequency is weekly. Which should suit most sites.

The reports you find in the admin interface are for all users though you can sort based on headers in the web interface in the PDF and XL reports the order is fixed. Individual level quarantine entries are viewable for each individual user in your organization.

In certain situations you may suspect that an important mail is stuck in a quarantine. So to ensure that is not so or if that is, the admin has the ability to flush the quarantine of a given user manually from the web interface shown below. This is to speed things up instead of waiting for the scheduled mailer.

Manually clear Quarantine for user

Once you enter the full email address of the user his/her quarantine entries alone are flushed immediately from admin action.

In today's world spam and virus mails are not bounced but silently dropped instead to avoid backscatter since most malware are sent by zombies who are controlled by someone else, all addresses and return paths will be fake. So sending a bounce will lead to even more spam and they may also create bounce loops.

Quarantining is another option in which the decision to deal with the bad mail is deferred for later. But this has the disadvantage of that of the user not realizing that he has mail to be attended to. Hopefully the quarantined mails are not the important ones. Each quarantine action has a specified reason which is explicitly viewable in admin reports as seen above in screenshots.

Quarantine subsystem

Duration: 3:33 min
Related pages