jwSpamSpy 11.0910
Release notes (2011-09-10)

Index:



What does jwSpamSpy do?

jwSpamSpy stops spam from reaching you. All your email goes through a mailbox on a mail server, from which your computer usually picks it up. jwSpamSpy reads this mailbox, checks which emails are spam, removes those and leaves you with the valid emails only.

Unlike some other filter software, it takes its decision to reject or not reject mails based on multiple factors. No single problem will lead to mail being discarded, avoiding "false positives" quite common in other filtering strategies.


System requirements

In general, if you were able to configure email on your computer, you should be able to install jwSpamSpy :-)

jwSpamSpy does not require a high end computer to work well. The following is required:

The oldest computer jwSpamSpy was tested on here was a 166 MHz Pentium with 32 MB of RAM and a 2 GB hard disk running Windows NT 4.0. It worked just fine.


How does jwSpamSpy work?

Before mail reaches you computer it is stored in a mailbox on a central server at your ISP or your company, from where your mail client (an email application such as Outlook Express, Netscape Communicator, Eudora, etc) picks it up. jwSpamSpy inserts itself between the ISP server and your mail client, acting as a mail client to the ISP mail server, and as a mail server to your mail client.

jwSpamSpy reads ISP mailboxes much the same way an email program does. It optionally deletes mails recognized as spam or viruses, after saving a copy in a local folder on your hard disk. All mails not identified as spam can then be moved to a mailbox provided by jwSpamSpy on the local harddisk. Your mail client can pick up spam-free mail from this mailbox by accessing a local server address instead of the mail server of the ISP or of your company.

Mails match some patterns found in spam but enough for jwSpamSpy to be sure it's spam will be delivered, but only as an attachment to a special notification message which you can manually inspect and retrieve if it looks OK to you. If a valid email is flagged as suspicious, please "Tools | Email addresses | Whitelist" to whitelist the sender address.

Filtered mail for every mail account is saved on your hard disk where it can be retrieved any time. See "What happens to mail filtered as spam?" in the FAQ.

jwSpamspy offers three different ways of taking care of spam, manual, automatic and remote mode. Your mail client can either alternate with jwSpamSpy in accessing the mailbox (Remote Mode), or it can access the mailbox with jwSpamSpy acting as a go-between (Automatic or Manual Mode). You choose between Remote Mode and the other modes at install time but you can switch between Manual and Automatic mode any time by right-clicking on the system tray icon to bring up the jwSpamSpy tray menu.

Setting up mailboxes

To allow jwSpamSpy to filter spam, it needs to be able to access your mailboxes. For that it needs information such as the name of the POP3-server, the user name assigned to you by your ISP, and the password for the mailbox. If you use Microsoft Outlook Express then jwSpamSpy can automatically import those settings from your email client. For other mail clients you need to enter those details manually.

You can configure jwSpamSpy for multiple mailboxes. Each mailbox has a name such as jane.doe@myisp.com. Here are sample values for one such mailbox:

Value Example
Description
Server mail.myisp.com
pop.myisp.com
Use the same POP3-server as set in your email application when first installing jwSpamSpy. If you use Automatic or Manual mode, change the POP3-server of your email application to 127.0.0.1, while setting jwSpamSpy to the real value. If you import Outlook Express settings, jwSpamSpy can make this change for you.
Userjane.doe Use the same user name as set in your email application when first installing jwSpamSpy. If you use Automatic or Manual mode with more than one mailbox, change the user name of your email application to the name of the mailbox (e.g. jane.doe@myisp.com). This prevents confusion if you have multiple accounts with the same user name at different providers (e.g. jane.doe@myisp.com and jane.doe@anotherprovider.com).
Port 110 You can leave this blank or 0 unless your ISP mailbox requires a value other than the default of 110. Some mailservers requires a secure connection (SSL) using port 995. Contact us for further instructions if this is the case with your server.
Disabled 0 Setting this entry to a non-zero value will cause jwSpamSpy to not check this mailbox unless specifically told to do so in Manual Mode or Remote Mode.
Honeypot 0 See here for more information about this setting. Normally you would leave this blank or 0.
Password 25-S3cr3t-36 This is the password required to open your mailbox. In Automatic or Manual mode, if you leave this blank then jwSpamSpy will pick up the password from your email application next time you check for email. For security reasons the password is not stored in a file readable over a network. Instead it is scrambled and stored in the Windows Registry, an internal database used by the operating system.

Automatic mode vs. Manual mode vs. Remote mode

Remote Mode Manual Mode Automatic Mode
  • You manually initiate the filtering
  • You choose when to preview or delete
  • Spam is listed as it is deleted
  • Mail client must not access mailbox during filtering
  • No changes to mail client account settings required, e.g.
    • POP3 server: mail.myisp.com (ISP)
    • User name: jane.doe
    • Password: ******
  • You can change all filtering parameters
  • You can use the Windows scheduler to filter at fixed times
  • Primarily for use with dial-up access (modem) or testing
  • You manually initiate the filtering
  • You choose when to preview or delete
  • Spam is listed as it is deleted
  • Mail client can access mailbox at any time
  • Only minor changes to mail client account settings, e.g.
    • POP3 server: 127.0.0.1 (local machine)
    • User name: jane.doe or jane.doe@myisp.com
    • Password: ******
  • You can change all filtering parameters
  • You can use the Windows scheduler to filter at fixed times
  • Primarily for use with dial-up access (modem) or testing
  • Filtering starts when you logon to Windows
  • Mails downloaded automatically
  • Spam deleted in the background
  • Mail client can access mailbox at any time
  • Only minor changes to mail client account settings, e.g.
    • POP3 server: 127.0.0.1 (local machine)
    • User name: jane.doe or jane.doe@myisp.com
    • Password: ******
  • Filtering parameters stay fixed
    (temporarily switch to manual mode to change them)
  • Can also be used with broadband access (LAN, ADSL, cable)

Remote mode only: Once you have used the "Delete Spam" function in jwSpamSpy to remove spams from your mailbox, you can tell your mail client to pick up mail. After your mail client has finished picking up mail, you can check for spam again.

For remote mode, make sure that jwSpamSpy and your Email program do not access the mailbox at the same time. For example, if you leave Outlook Express up while running jwSpamSpy to filter, make sure in Tools / Option / General in Outlook Express the following setting is not checked: "Check for new messages every [30] minutes". Also, we recommend that you uncheck the "Send and receive messages at startup" option in the same menu. Use Tools / Send and Receive in Outlook Express instead to explicity tell OE to look for mail. You do not have to worry about these options in automatic or manual mode.

Note that in Remote Mode jwSpamSpy can not prevent new spams from entering the mailbox between starting the spam check and starting the mail client. There is a small possibility that you will still see one or two spams slip into your inbox even when you've cleaned everything before. This is not a problem in Automatic or Manual Mode.

Manual and Automatic modes: You can change between manual and automatic mode by clicking on the jwSpamSpy icon in the system tray notification area with your right mouse button and selecting "Enable automatic filtering" or "Filter manually".

Opening the main dialog of jwSpamSpy does not change between manual or automatic mode, but automatic mode mail pickup and filtering is suspended while the dialog is up. Automatic mode only applies when the dialog is not up. When you close the dialog, normal filtering resumes.

If you unload the system tray application by clicking "Exit" in the tray menu, jwSpamSpy will become effectively disabled. We do not recommend you do this, unless instructed by our technical support. Any mails picked up by jwSpamSpy in automatic or manual mode but not received by the email application will be temporarily unavailable while the tray application is not running. In that case you may see some error messages when trying to check for mail from your mail client. When you reboot the system or log off and log on again, the system tray application reverts back to whatever mode was last active and the mails will be accessible again.

Preview vs. Delete Spam vs. Pickup in Remote or Manual Mode

Once you've entered the mailbox settings, jwSpamSpy can take a look at your mailboxes. "Preview Filtering" in the jwSpamSpy menu will display all mails suspected of being spam, one mailbox at a time, with the "least spammy" mails listed last. That way you can quickly check if any non-spams have accidentally ended up being diagnosed as spam. "Delete Spam" will do the same, but it also deletes all spams from your mailbox. "Pickup Mail" (not available in Remote mode) will delete spams but also copies all non-spams to a mailbox on the local hard disk, for local pickup by your email application. This is the mode used by most people.

Here is a typical listing from these commands. You can skip these explanations if you are not interested in technical details:

[jsmith@provider.com - 2003-12-12 15:37:19]:
001: [100 OleId#Bulk Subj:lenBbHostId~MpDblFontHtml] "Roberta Marshall" <ytgzqngj@WOLVESFANS.com> Huge Cristmas sale for OEM Windows, Office, Adobe - under $99 per CDs triassic
003: [100 Sdbl Date-Id-noRbl:shHostDom#DblOptHtml] Goldfinger <gold@hoover1.com> Christmas Jewelery Sale
004: [100 Name_Id$ BulkFont@Url<Html>] "Gwen Calhoun" <gcalhoun_qm@standaard.be>
005: [100 Name_IsoId-noRcvd DblHtml] "Mickey Darnell" <m_darnelliz@asc.asn.au> =?ISO-8859-1?b?aGk=?=
006: [100 # Name_Id-noRcvd+++Dbl Html] "Beatrice Tanner" <beatricetanner_uj@mgcheo.med.uottawa.ca> get it up
002: [79 #### BulkId-noRfcCcbl:cn] "John Zhuang" <jonyin@21cn.com> R / C Helicopter offer
Explanation:

Key Explanation
[janedoe@myisp.com -
2003-12-12 15:37:19]:
Name of the mailbox and the time/date when it was checked (this information is also saved in a file called bl\connect.txt).
001: Position within the mailbox - this spam was the first of at least six messages in the mailbox
[100 Reason1Reason2] Spam rating and reasons for awarding spam points (see below)
"A. Name" <sender@domain.com> Sender name and address specified in email header (may be fake)
Buy V1AGRA! Subject line specified in email header (may be offensive)
#### Mail did not receive enough points to make it certain spam (we think it's spam but we may be wrong)
### Mail definitely is spam, but there were no more than three reasons that contributed
## Mail definitely is spam, but there were no more than four reasons that contributed
# Mail definitely is spam, but there were no more than five reasons that contributed
+++ Mail probably or definitely is spam, but we could not decide on that just by looking at the header. We had to look at the body of the message too.
Ccbl:cn, Ccbl:br, Ccbl:ar, Ccbl:mx, Ccbl:lac Mail was sent via a server located in China, Brazil, Argentina, Mexiko or other Latin America / Caribbean countries
Ccbl:419, Ccbl:ng, Ccbl:ci, Ccbl:za Mail was sent via a network provider frequently used by "419" fraudsters ("Nigerian scam") or located in Nigeria, Cote d'Ivoire or South Africa
Sdbl The domain name of the sender belongs to a spammer
Sabl The sender email address belongs to a spammer
Bulk The mail was sent using a bulk-mail program used by spammers
Dbl The body of the mail contained a domain name used by a spammer
Nigeria Content and source suggest this is a "419" scam email
Virus, Virus:swen, Virus:warn The message appears to be a virus (either generically or identified as a specific type) or a meaningless virus warning sent to the wrong address

If the rating is "100" and it is not followed by any ###s then there were at least six reasons that made it look like spam.

Filter threshold levels

jwSpamSpy offers several filter levels. A setting of "100%" (the default) should result in only those mails getting deleted that jwSpamSpy is certain of being spam. In our experience, it will allow a small fraction (maybe 2%) of spams to slip through the cracks and land in your inbox, with practically no false positives (i.e. non spam being mistaken for spams). Most of the spams that pass at this setting will be tagged, i.e. forwarded as an attachment to a warning message.

On the other hand, a setting of "50%" will reduce the fairly low false negative rate (spams being let through) even further, but occasionally catches non-spam. For novices, we therefore recommend the safer "100%" setting. If you use the 50% setting, you should once click "Preview" before using "Delete Spam", or whitelist important senders to ensure there are no false positives (for example, a non-spam mail achieving a very suspicious but uncertain score of 51%).

Command line mode (in Remote or Manual Mode)

You can automatically invoke jwSpamSpy from a scheduler and use a command line switch to tell it what to do. That way you can have it clean up your mailboxes before you start using your computer. The available command lines are:
jwSpamSpy.exe preview
jwSpamSpy.exe delete
jwSpamSpy.exe pickup
All three options will start the application and access the mailboxes using the current settings (specified / all mailboxes, 50/67/100% threshold).

To create a scheduled job for preview or delete, select the following command in Windows 2000 or XP: Start / Accessories / System Tools / Scheduled Tasks. Choose Add Scheduled Task. Click Next. Select jwSpamSpy.exe. Click Next. Assign a descriptive name for the task, such as jwSpamSpy - morning cleanup and choose Daily or When my computer starts as the schedule. For a daily cleanup, specify a suitable time, such as 07:30 or whatever leaves enough time to clean before you first use your computer. Supply your user name and login password as necessary. Click Finish and you're done. Leave your computer on or start it on a timer switch and the following morning most spams will be gone before you start work. Do not use the scheduler with jwSpamSpy in automatic mode, as the system tray application will schedule when to delete spam instead.

With scheduled spam deleting or in automatic mode, you can go away for the weekend or on holidays without ever having to worry about spam or bulky viruses overflowing your mailbox.

DBL-Update subscription

Domain name blacklists are recognized to be the most efficient way of filtering spam. Since early January 2004 we have been publishing additions to our blacklists via DBL-Update, a mailing list created specifically for this purpose. If a mailbox protected by jwSpamSpy is subscribed to this service then any published updates to our global blacklist will automatically be picked up by your copy of jwSpamSpy. If later you receive a spam advertising one of those domains, you will be fully protected.

Subscribing to this mailing list is a two-step process:

  1. Send any email to jw-dbl-update-subscribe@yahoogroups.com (Opt-in)
  2. When you receive a message asking you to confirm that it was really you who requested to be subscribed, follow the instructions in that message, such as sending a reply to that message or clicking on a confirmation URL (Confirmed Opt-In)
That's it. Once a day you'll get a list of new spammer domains and you never even have to look at them. You can set up your email program to move those messages to a special folder or even to delete them after it's downloaded them. The act of downloading them is all that jwSpamSpy needs.

Even if you don't subscribe to this list, jwSpamSpy will be able to identify most spam domains by itself. In fact, that's how most additions on this list get produced, by jwSpamSpy filtering our own mailboxes. However, identifying new spam domains can slow down the filtering process a little and jwSpamSpy by itself does not catch 100% of all spam domains. That's why using DBL-Update is a benefit.

Honey traps and the "honeypot bias" setting

If you have a mailbox available that is not used for any sensible email, you can use it to enhance the spam recognition rate. Here is how:

Use "Add mailbox" to enter the details (server, user name, password, etc.), setting it's "honeypot bias" value to 100. Any mail sent to that mailbox will be subjected to the utmost scrutiny and will be deleted unless sent by a whitelisted sender. Any spam sent to this mailbox that advertizes spam domains will have a very good chance of these domains being added to the blacklist database on your hard disk. That in turn will help catch similar messages sent to regular mailboxes. When jwSpamSpy checks all mailboxes, it checks honeytrap mailboxes (Bias=100) first, followed by any other mailboxes with a non-zero bias. Mailboxes without any bias (Bias=0) will be checked last. Therefore, you should assign a bias of 0 to normal mailboxes, a small bias to less frequently used mailboxes (we suggest 1 or another single digit number) and a bias of 100 to mailboxes where nothing but spam is expected.

You can attract spam into the spamtrap by posting to a newsgroup such as alt.test with that address or, if you don't mind the little extra traffic every day, by subscribing to a spam mailing list. Send email (from the honeytrap account, not your regular mail account!) to majordomo@pcfan24.de with an arbitray Subject (it's ignored) and the following text in the message body:

subscribe spam-pcfan24-de
You will be sent a confirmation mail to verify the subscription. Send it back and your spamtrap is ready to get spammed, training the filter.

Virus filtering

jwSpamSpy will protect you from common harmful computer viruses such as Netsky, Sober, Swen, Dumaru and Klez in their various variants. Its filtering is more generic than custom virus filter software. As a result, jwSpamSpy will catch most new variants of viruses without requiring a software update, but under certain circumstances it may also reject some mails that are benign, if they carry an attachment that appears to be a medium sized DOS or Windows program or ZIP-file. Very large attachments (more than 300 KB) such as self-extracting executable archives will be let through. Smaller executable files need to be packed into a .ZIP file using an archiver such as WinZIP or WinRAR or they may be intercepted, depending on the mail application used to send them. Other files such as text files and pictures, etc. are always safe.

A future version of the product will be more configurable, but for the time being, we're putting your safety first!

jwSpamSpy Tools

There are several options in the Tools menu of jwSpamSpy that work with files used by or generated by the filter.

Tools | Check mail files...

By using drag and drop in Outlook, Outlook Express and other mail applications you can copy previously received mails from your email application to a folder on your harddisk. Using this option you can check such files for spam.

Tools | Virus reporting assistant...

jwSpamSpy keeps track of viruses that it filters to enable you to easily report these viruses to the appropriate Internet Service Providers (ISPs). The virus reporting assistant opens a text file with templates for all virus emails received. Use the Cut and Paste function to copy them to your email program, so you can quickly inform ISPs about infected customers' machines.

Tools | Lookup abuse contact...

When you receive spam you can use function to find the abuse handling contact for Internet Service Provider responsible for the address.

Tools | Email addresses | Whitelist...

Use this option to add trusted senders. These are email addresses of people you expect mail from. Mail from all these senders will not be filtered.

You don't normally need to use this feature. However, if you find that email from a valid sender gets flagged as suspicious or even as spam, then you should add the address of that person to the whitelist to make sure future emails will get through without problems.

The whitelisted senders will be stored in a file bl\from-wl.txt, that you can edit with Notepad. You can also import an ASCII file of email addresses (one entry per line, no other text) into your sender whitelist.

  • Please note that if an email carries a virus it will still be filtered. That's because most current viruses use fake sender addresses, making sender address based tests meaningless for virus checking.
  • Do not include any of your own addresses into the whitelist, or spam sent with a fake sender address equal to the recipient address (which is a fairly common trick used by spammers) will get through to you!

Tools | Email addresses | Blacklist...

Use this option to add senders that you never want to receive mail from. All mail with one of these addresses as a sender or reply address will be filtered.

Tools | Email addresses | Blacklist 419...

Use this option to add senders that you never want to receive mail from. All mail with one of these addresses as a sender or reply address will be filtered. This works the same as the regular Blacklist function, but also marks the senders as spammers involved in "419" advance fee fraud.

Tools | Domain names | Blacklist...

Use this option to add domains that you never want to receive mail from and that you never want to see mentioned in email sent to you. For example, if you add spammer.com to the list, any email sent from sales@spammer.com or offers@spammer.com will be blocked, as will be any mail that mentions http://www.spammer.com/somepage.html.

Tools | Domain names | Whitelist...

Use this option to add domains that you trust. Mail from any sender in one of these domains will never be blocked. If you add example.com to the list, any email sent from john@example.com or sales@example.com will get through, even if the filter would normally find something suspicious about it.

Tools | Domain names | Free email...

Use this option to add domains that provide free webmail accounts. These sites are popular with "419" spammers and they are also often used as fake sender addresses by other spammers. Legitimate mail from domains listed here will not be blocked. However, if several other suspicious symptoms are detected, mail from these sources will be treated as spam.

Tools | Domain names | Free website...

Use this option to add domains that provide free webspace (e.g. geocities.com, tripod.com) or host subdomains or that redirect to another URL (e.g. tinyurl.com). URLs using these domains mentioned in emails do not cause the mail to be blocked. However, if several other suspicious symptoms are detected, mail mentioning these URLs will be treated as spam.

Tools | Generate reports | Domain report...

Creates a report about the two local domain blocklists used by jwSpamSpy (for internal use).

Tools | Generate reports | 419 report...

Creates a report of sender addresses from spam mails for the "419" fraud (for internal use).

Tools | Generate reports | Dialup report

Creates a report of dialup and broadband hosts (ADSL, cable internet) in mails that were checked (for internal use).


Automatic updates

When the a registered copy of jwSpamSpy goes online to check for email, it will periodically also check our website to see if new versions of jwSpamSpy are available. If an updated version is found, it will be downloaded to a folder on the hard disk. Next time you restart your computer, jwSpamSpy will find the updated version and will offer you to upgrade. You do not have to upgrade every time a new version becomes available, but we do recommend it. New versions will provide protection against newer types of spams or viruses not detected by old versions, or will avoid filtering some legitimate mail that might have been flagged as spam by older versions.


How to uninstall jwSpamSpy

If for any reason you want to remove our product from your computer, you can use the uninstaller for the product in the Windows Control panel, as with most other Windows programs:
  1. Click "Start | Settings | Control Panel"
  2. Click "Add/Remove Programs"
  3. Click "jwSpamSpy"
  4. Click "Change/Remove"
  5. Click "OK" to remove it. After the application is uninstalled, it will let you reboot the machine. When it comes back up again, jwSpamSpy is gone.
Any data files left at C:\Program Files\JoeWein\SpamSpy or any other folder into which you installed the product can be safely deleted. Note that if you manually changed mail settings for Outlook Express or any other email program you may be using, you'll have to change them back to the defaults for your Internet service provider.


Contact us:

Joe Wein <support@jwspamspy.com>

http://www.jwSpamSpy.com/