Skip to main content

Too much spam?

The email team within CIT understands how much of a nuisance spam can be, and we have strong measures in place to keep spam from disrupting the focus of Cornell’s faculty, staff, and students. Recently, a portion of the Cornell community has wondered why they’re getting more spam.

The overall volume of messages the university handles is a main factor. Until April 2013, the Cornell email system had been receiving about 2 million messages a day. Then the average volume jumped to 3-4 million. It continues to vary but has stayed at a higher level since then.

The extra 1-2 million messages? Mostly spam. On average, 70% of incoming messages are immediately rejected as spam. That accounts for about 90% of the total spam. However, with that kind of volume, the remaining 10% of spam that gets through is still a huge number.

Unfortunately, it is impossible to block every bit of spam without also interfering with legitimate mail. Every week, some Cornell community members report that legitimate mail was rejected by the university email system because the message apparently contained words or URLs similar to spam. The challenge for any spam control system is to keep up with the ingenuity of spammers while preserving the ability of legitimate mail to be delivered.

Spammers buy anti-spam products and test their messages to see what will get through. They craft spam with too little to trigger the anti-spam filters, or with enough legitimate-looking text (which you may not even see, because it’s hidden in alternate body parts) to get past the threshold. It’s trivial to create applications to test an unending variety of subject lines and fake messages.

One question we’ve heard a lot is why some people at Cornell seem to get so much more spam than others. It would be impossible to pinpoint an exact reason for any particular address, but here are some of the common reasons why this can happen:

  • Their address was guessed.
  • Their address was harvested from a computer that was infected or hacked.
  • They were tricked by a phishing or spam message and replied or clicked a link.
  • Their address has been publicized on websites.
  • Their address has been used outside the university, for example, to log in to non-Cornell services, participate in online forums, send messages to non-Cornell mailing lists, do online shopping, etc.

Some steps that Cornell’s email team is taking in the near term:

We are reviewing the overall approach to spam control. We will also continue to educate the campus community about spam and how certain choices they make with their email addresses can influence how much spam they receive. We will also highlight how to set rules in the email clients to automate the handling of PMX-flagged spam. The reality is that no email address can be immune to spam. But a renewed focus on awareness can only help.


A brief summary of the spam controls currently in place for the Cornell email system:

— The spam control system currently used at Cornell is Sophos PureMessage. This system scans all mail sent from non-Cornell addresses to Cornell addresses, looking  for spam and viruses. It automatically rejects mail that is flagged as probable spam above the 80% level, and sends a notice to the sender’s email server.

— Messages that are probable spam between the 55% and 80% level are flagged with a “PMX” indicator in the Subject line and delivered as usual. This range has, in the past, been determined to be the best compromise to guard against the possibility of automatically rejecting legitimate messages. In light of the dramatically increasing volume of spam, it may be time to revisit this decision.

— As a secondary spam control, the Cornell email administrators can tune the email routers in response to specific security threats, such as a realistic phishing email or a malware payload. This is coordinated with IT Security.

— The move to Office 365 did not change or affect how spam control is done. Incoming mail is handled the same way today as when we had on-premise Exchange.

— Spam that doesn’t get marked by Sophos PureMessage can be reported to the vendor (see instructions).

We encourage IT staff who have questions or feedback about the spam control system to contact the IT Service Desk via the TSP channels (607 255-8690 or

Thank you.

Cornell Information Technologies

607 255-5500

Print Friendly, PDF & Email


Comments are closed.