Policies and Guidelines

Email Policy - sends you to a linked PDF describing Western's Email Policy.

http://www.uwo.ca/univsec/pdf/policies_procedures/section1/mapp113.pdf

Prohibited E-mail File Attachments - explains what kinds of file formats are prohibited from being email attachments.

As the popularity and use of email has increased so has the distribution of viruses and spyware/malware through email.   As a result, Western has chosen to block certain file types that windows operating systems have a built in association to auto launch and which are commonly used to infect computer files or compromise security.  This is crucial as it is not just the recipient's computer that becomes compromised, but all computers attached to the network through both the wired and wireless systems.

List of Prohibited File Attachments

The following file types are currently being blocked by the Western mail servers:

.ade, .adp, .app, .asd, .asf, .asx, .bas, .bat, .bin, .chm, .cmd, .com, .cpl, .crt, .drv, .dll, .emf, .exe, .fxp, .hlp, .hta, .hto, .inf, .ini, .ins, .isp, .js, .jse, .lib, .lnk, .mdb, .mde, .msc, .msi, .msp, .mst, .ocx, .ovl, .pcd, .pif, .prg, .reg, .scr, .sct, .sh, .shb, .shs, .sys, .url, .vb, .vbe, .vbs, .vcs, .vxd, .wmd, .wmf, .wms, .wmz, .wsc, .wsf, .wsh.

* The restriction on .rar and .zip files has been lifted. If you receive a message indicating these file extension have been blocked it is because they contain nested file extension that are still restricted. These files will then need to be password protected in order to be delivered.

Understanding the Behavior

Due to the complexity of the email environment message delivery is processed differently if originating from internal or external sources.

Messages Originating Internally

When a prohibited attachment has been blocked, it will not deliver the attachment to the recipient but the message will still be delivered. The sender will not receive any notification that the attachment has been removed. The attachment will be permanently deleted, and there is no way of recovering this file. The recipient will receive a text (.txt) file embedded into the body of the message in place of the removed attachment. This text file will contain the following message:

A file filename.extension attached to this message has been deleted by the University of Western Ontario's mail server because its type has been identified as a possible security risk to you. For more information, please visit http://www.uwo.ca/its/email/blockedfiles.html (i.e. this site).

Messages Originating Externally

When a prohibited attachment has been blocked, the message is rejected and the senders mail server is provided with the response; "554 5.7.1 Attachments with file extension zip are not accepted."  In addition to the original sender receiving a more timely response the recipient is no longer obligated to follow up with the sender to reiterate our policy on prohibited file attachments. 

How does this affect me?

To bypass the restrictions of the university mail system on attachments use a compression software that provides password protection. Since most of these software programs are on our list of prohibited attachments you will also need to rename the output. As the sender include the original file type and password in the body of the message. For assistance, please contact the Help Desk at 519 661-3800.

Sending Rate Limits - describes the sending rate limits to external email addresses.

The Western email system limits the rate at which messages can be sent to external email addresses. Email rate limits mitigate the impact of compromised hosts or accounts on our email system. These limits were carefully chosen to minimize the impact on legitimate email traffic, however some legitimate senders may be impacted.

Current rate limits

Office 365

Sending Limits
  Recipient rate limit Recipient limit Recipient proxy address limit Message rate limit (SMTP client submission only)
Limit 10,000 recipients per day 500 recipients 200 30 messages per minute
Receiving Limits
  Messages received
Limit 3600 messages per hour

Convergence

There are two tiers of rate limits employed on Western's Convergence email system, depending on client location.

  Tier 2 (high risk) Tier 1 (low risk)
Clients
  • Convergence users
  • Wireless clients
  • Reznet clients
  • Off-campus clients
  • All other on-campus clients
Rate limit*
  • 50 messages per 15 minutes
  • 500 messages per 24 hours
  • 500 messages per 24 hours

The message count is measured independently on each of WTS' email servers. It's possible to exceed this limit by splitting messages across multiple servers, if messages are sent over multiple sessions, although results may vary and this should not be replied upon as a workaround.

Internal vs external recipients

Rate limits only apply to email messages sent to external recipients. External recipients are those not hosted by WTS, such as @gmail.com or @hotmail.com. Emails to @uwo.ca addresses, or other domains hosted by WTS, are not rate limited and do not count towards your rate limit.

Rationale

Western's ability to effectively deliver legitimate messages to the internet depends on having a good reputation as an email sender. Each time Western's email servers are misused to send spam, that reputation is damaged. Other mail domains may begin throttling our mail, or blocking us entirely for a period of time. We may become listed on any number of dynamic blacklist services used by email service providers across the world. This negatively impacts our ability to deliver legitimate mail for all of Western.

The two major sources of spam in our email system is compromised accounts, such as through phishing attacks, or virus-infected hosts connected to our network. While we take steps to minimize the occurrence of these cases, we cannot completely prevent them, and from time to time they will appear on our network and be used to blast spam through our mail servers.

In order to reduce the volume of spam which makes it through our mail system and onto the internet, we make use of email rate limiting. This can lower the volume of spam sent in each incident from millions to a few thousand. Since spam message we relay can impact our reputation as an email sender, this reduction is vital in the operation of our service.

Comparison to other ESPs

While selecting an appropriate rate limit for our Tier 1 clients, we looked at rate limits used by other major email service providers. We found that several major ISPs (Comcast, Earthlink, Roadrunner) used a rate limit of 1000 messages per day, while most major free webmail providers (Gmail, Hotmail, Yahoo!) used a limit of 100 to 500 recipients per day1 2. We feel that, as a University, a limit somewhere between these two numbers is appropriate.

The rate limit for our Tier 2 clients is much lower, because these clients are considered to be higher risk. Compromised accounts from phishing attacks frequently use Convergence or direct SMTP connections from off-campus. Wireless and Reznet clients are considered higher risk because compromised devices are more commonly brought onto campus and connected to these networks. Applications used for sending mass emails would typically be run on an on-campus workstation or server, which would fall under the tier 1 rate limit (although still subject to the Mass Email Guidelines).

Impact on Western users

Most Western users will likely never be affected by Western's email rate limits. In the case of Tier 1 clients, we estimate that less than 0.2% of clients will be affected.

Those likely to be affected will be users or departments which send run software on their workstation or department's server which sends mass mailings or other email notifications to external email addresses. Email senders who hit the rate limit will receive the following message in the form of a pop-up in their email software:

550 5.7.1 Recipient rate limit exceeded. Try again later. 
See http://www.uwo.ca/wts/email/ratelimits.html

When this message appears, the message being sent will not be processed. If sending to multiple recipients in the same message, none of the recipients will receive the message. Repeatedly trying to re-send will push your client further over the limit, but will not allow further messages to be sent. See the following workarounds and best practices below.

If you are seeing the above error message, but are not aware of having sent messages to a large number of recipients, it's possible that your computer is infected with a virus or your Western account has been compromised, and is being used to send spam. If you believe this to be a possibility, please change your Western password immediately and contact the Help Desk for further assistance.

Workarounds and best practices

If sending mailings to a large number of external recipients, be aware of the two tiers of rate limits. To avoid being affected by the rate limits, try the following workarounds:

  • If sending from one of the tier 2 areas, try sending from the on-campus wired network instead.
  • Faculty and staff can use a List Guardian mailing list for your mailing, which is unaffected by rate limits.
  • Students can use external mailing list services, such as Google Groups, which would count as a single external address.
  • Send messages to a small number of recipients over a longer period of time, to stay below the rate limits.
  • Official communications may be eligible to be sent by WTS, using our professional mass mailing application. Contact the Help Desk to inquire further.

After trying the above workarounds, if you are still experiencing difficulties sending large mailings, please contact the Help Desk to request further assistance from the email group.

Please be aware, mass email communications are subject to the Mass Email Guidelines, including formatting, subject matter, recipient selection, scheduling, rate limiting and opt-out procedures.

End of Relaying to External Sender Domains - explains WTS' policy against accepting emails addressed from an external sender.

Western’s back-end email servers (smtp.uwo.ca, mta.uwo.ca) do not accept emails addressed from external sender domains due to the service being abused by spammers, phishers, and viruses as an avenue to forge email addresses.

In addition to our primary @uwo.ca email domain, WTS hosts email services for approximately two dozen other Western-related email domains. Western senders therefore are limited to addresses within the set of domains which WTS hosts. When a sender tries to send email from any other domain, the message will be rejected.  This helps to curtail the activities of spammers and viruses, as well as correct several client configuration errors we have detected. 

This only applies to email sent through Western’s back-end SMTP email servers. Incoming emails to Westerns’ front-end email servers will still be accepted, so long as the recipients are valid and the messages pass our spam filters.

How does this affect me?

Most users are unaffected by this policy, but there are some legitimate senders that may need to consider how they send email.  End users may fall into categories #1-2 below, but server administrators may also need to consider categories #3-4.

1. End users sending from external domains

Some users may have unintentionally configured their email clients to use an external email account, but mistakenly set the outbound email server to smtp.uwo.ca (or mta.uwo.ca). This has the effect of sending your outside account’s email through Western’s email servers. These users need to reconfigure their email clients to use the email server provided by their outside email service provider.

2. Bulk/Mass email senders and application notifications

Users who conduct bulk or mass email campaigns, or applications which send email notifications, may be sending email using an external sender domain. If you’re sending with an application that is internal to Western, and are sending through Western’s SMTP server, you will need to ensure that you’re sending from a valid, deliverable email address within an email domain which is hosted by WTS. It is strongly recommended that you specify a sender address that you own, so you can receive replies and bounces. You should not be using sender addresses provided by end users, since this can be exploited by spammers.

If you’re sending from an external service, you should be unaffected, since the service should be handling email delivery for you using their own domain as a sender address.

3. System emails from server machines

Server administrators may need some way for their servers to send email notifications, alerts, reports, etc. It is common for Unix/Linux type systems to send such emails using user@full.name.of.host.uwo.ca as the sender address. If these servers are configured to push all mail to smtp.uwo.ca (or mta.uwo.ca), then these are affected by this policy.

Since @full.name.of.host.uwo.ca is not an email domain which WTS hosts (even if it may be a sub-domain of such), these messages are rejected. Your server should be configured to rewrite/masquerade the sender addresses to use valid, deliverable email addresses within an email domain which is hosted by WTS.

If you fall into this category, IWS has some solutions for configuring the local Sendmail configuration on Linux hosts. Please let us know and we can assist you with implementing this solution.

4. Other campus email servers

Email servers being operated on campus should not be sending email to smtp.uwo.ca (or mta.uwo.ca).  They should send email directly to the hosts specified in the MX records of the recipient domains.

Mass Email Guidelines - outlines the guides for mass emailing at Western University.

Below are the Mass Email Guidelines for Western University.  A PDF version of the following text is also available.

Last Updated June 6, 2012

Preamble

These guidelines apply to the use of University email systems for sending and distributing mass email communications.

The University of Western Ontario provides electronic mail services for use by students, faculty, staff and other persons affiliated with the University. The University email system is a vital part of the University's information technology services infrastructure. It is a service provided to support necessary communication in conducting and administering the business of the University, including teaching, research and scholarly activities. Refer to Policy 1.13, E-mail Policy.

Western Technology Services (WTS) has received an increased number of requests to accommodate distribution of mass emails. Distributing mass emails causes an increased consumption of computing and networking resources which are shared by all users.

These guidelines aim to outline best practices, policies and processes for the effective use of mass email at The University of Western Ontario. These guidelines attempt to strike a balance between the speed and ease of use (for the sender) of mass email, the desire to reduce reliance on paper mail and the impact on each member of the community receiving unsolicited email messages. These guidelines have been developed in the interest of fairness, respect for personal time and effective use of University resources.

Definition of Mass Email

For the purposes of these guidelines, mass email shall be considered to be any unsolicited electronic mailing in which the message is sent to members of the University or affiliates in bulk fashion.

Mailing Lists

Discussion amongst members of a mailing list is not generally considered mass email. However, the use of a mailing list for distributing mass email does not provide an exemption from these guidelines.

Internet Spam

These guidelines do not attempt to regulate the abundance of “spam” emails originating from the internet.

Acceptable Content

Mass email messages must pertain to University business and shall conform to Policy 1.13, Email Policy and Policy 1.13, Acceptable Use Policy.

  1. Personal Messages
  2. Items for sale
  3. Jokes
  4. Chain letters
  5. Pyramid or money-making schemes
  6. Unsolicited commerical email
  7. Political campaigning

The information conveyed should be of significant value to the recipients.

Focused Recipients

The distribution list must be refined in order to ensure the message is delivered only to those for whom it is relevant. The sender of the message is responsible for defining the distribution list as accurately as possible. When appropriate, use smaller and more targeted mailing lists rather than larger, broader lists. Recipients that no longer exist or have been disabled must be removed from future mailings to minimize bounces.

Message Format

  1. Keep mass email messages short and the message size small.  Contact WTS before sending messages larger than 50 KB.
  2. Use plain-test when possible.  If using HTML, include a plain-test MIME part.  
  3. Always use a clear, descriptive, and non-empty Subject: header.
  4. Always use a vaild and deliverable envelope "mail from" address to recieve bounce messages.
  5. Always use a vaild and deliverable "From: header" address to receive replies from recipients of the mass email.
    1. If the address in the From: header is not the intended recipient of replies, a vaild and delieverable address should be specified in the Reply-To: header.
  6. For messages addressed to multiple recipients, the recipient list must be protected.  Do not include the recipient list in te To: or CC: headers where it would be visible to all recipients.  Use the BCC: header or use a mailing list.
  7. Do not include attachments; provide a URL link to download content instead.
  8. Do not include personal, confidential, or sensitive information.
  9. Clearly identify the unit or individual responsible for sending the message, the scope of the individuals being mass emailed, and the purpose of the message.
  10. Contact information of the sender must be included.  This may be in the Reply-To: or From: headers, or may be provided in the body of the message.
  11. Directions for an opt-out process must be included at the bottom of the message as described in the "Opt-Out-Process" section below.

See Appendix 1 for a sample mass email message.

Opt-Out Process

Mass email messages shall include a way for recipients to opt-out of receiving further mass emails from the sender. Clear and simple instructions for opting-out must be included at the bottom of each mass email message. It is the sender's responsibility to comply with opt-out requests for further mailings within three business days of receiving the request.

The opt-out process does not apply to the following classifications of mass emails:

  1. Official emails from the University administration or their representatives.
  2. Emergency emails concerning an immediate threat to health and safety, property, or research.
  3. Emails that the recipient would expect to recieve as essential to their roles as students or employees.

Scheduling and Sending Rate

In order to minimize the impact that mass email messages have on University email and network systems, the following time-of-day and rate limits apply.

During Peak-Hours

Between 6am and 6pm on Mondays to Fridays, the following restrictions apply:

  1. Mass emails may be sent to no more than 10,000 recipients.
  2. When sending mass emails to more than 3,000 recipients, schedule the mailing in the events calendar at least 2 hours in advance and for a time that does not conflict with an existing scheduled mass email.  See "Mass Mailing Communications Events Calendar" below.
  3. The sender must control the rate of sending such that messages are sent to no more than 100 recipients per minute.

During Off-Hours

Outside of 6am to 6pm on Mondays to Fridays, all day on Saturdays, Sundays and Holidays, the following restrictions apply:

  1. Mass emails may be sent to no more than 50,000 recipients without prior approval from WTS.
  2. When sending mass emails to more than 3,000 recipients, schedule the mailing in the events calendar at least 2 hours in advance and for a time that does not conflict with an existing scheduled mass email.  See "Mass Mailing Communications Events Calendar" below.
  3. The sender must control the rate of sending such that messages are sent to no more than 100 recipients per minute.

Mass Mailing Communications Events Calendar

Mass emails are scheduled in the “Mass Mailing Communications” Events Calendar. When scheduling a mass emailing, ensure that no conflict is created with an already scheduled mass mailing.

When booking a mass mailing in the Events Calendar, ensure that appropriate time is reserved when considering number of recipients and the sending rate described above. As an example, to send a mass email to 15000 recipients, given the 100 recipients per minute limit, 2.5 hours should be reserved in the calendar.

The “Mass Mailing Communications” Events Calendar is located at: http://events.uwo.ca/cgi-bin/events.pl?Op=ShowIt&CalendarName=MassMailCommunications.

For access to schedule mailings in the Events Calendar, please contact the Help Desk (web: http://www.uwo.ca/wts/helpdesk/ phone: 519-661-3800 or Ext 83800).

Spam Filters

The University email system employs spam and content filters to protect against spam and other unwanted messages. Mass email sent from outside of the University network will be filtered for spam before being delivered.

It is the responsibility of the sender to ensure their sending email servers are configured appropriately and that their email messages are formatted and delivered such that they will not be filtered as spam.

The University is not responsible for any mass emails that are filtered as spam and will not make any exceptions or “whitelist” any senders to allow emails through unfiltered. This applies to all solicited and unsolicited emails.

Noncompliance and Sanctions

Use of University computing and networking resources for sending mass email is subject to these guidelines, as well as the Email Policy and other University policies.

Reports of incidents regarding inappropriate mass email communications as they pertain to these guidelines should be referred to the Network Security Officer (email: nso@uwo.ca).

The University reserves the right to deny or remove access privileges to individuals or groups in order to protect the University computing and networking resources against excessive use or activity at the discretion of the system or network administrators, in accordance with Policy 1.13, E-mail Policy.

As email is a privilege extended to the University community to facilitate communication, it should be used ethically and within bounds of policy.

Revisions

These guidelines are based on best practices, applicable law and technical capabilities at the time of the latest revision and will be updated periodically as technology and other factors change.

Appendix 1

A sample mass email message.

Return-path: <roadwork-bounces@uwo.ca>
Message-ID: <49D24564.3080802@uwo.ca>
Date: Tue, 31 Mar 2009 12:31:32 -0400
From: UWO Road Maintenance Crew <roadwork-bounces@uwo.ca>
To: UWO Community <>
BCC: Jack Smith <jsmith01@uwo.ca>, Jill Smith <jsmith02@uwo.ca>
Reply-To: UWO Road Maintenance Crew <roadwork@uwo.ca>
Subject: Medway Creek Bridge Closure
User-Agent: Thunderbird 2.0.0.19 (X11/20090105)
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

The bridge crossing Medway Creek on Perth Drive just North of University Hospital will be 
closed for road work on April 15-16. Please use alternate entrances to campus during this 
time.

See http://roadwork.uwo.ca/news/medwaybridge/ for more details.

John Smith
UWO Road Maintenance Crew
The University of Western Ontario

This message was sent to all faculty and staff.

To opt-out of further mass email messages from the UWO Road Maintenance Crew, send an email 
to roadwork@uwo.ca with the subject “opt-out”.

Published on  and maintained in Cascade CMS.