Why do we have these unwanted junk emails in a folder? Turns out the designers and implementers of email systems had a problem. Most people want to receive all their emails. They don’t want a complicated system validating who the senders of those emails are, and whether they are allowed to send (Bergholz et al., 2010). It’s completely possible to build such a system. But many organizations don’t use anything like that. This has contributed to the receipt of unwanted and fraudulent emails being one of the oldest and most persistent problems in information technology.
Email systems don’t really care about the identities of the people who send us email (Bellovin, 2004). If the email system gets a message from the President of the United States, it doesn’t stop to ask for a driver’s license. It just delivers that message to the recipient. When the user gets that message from POTUS, they must decide if it’s really from the President or not. The system doesn’t exactly try to validate the email, it’s not designed to because most people would consider that burdensome for the communications process.
Of course, we don’t like that thousands of fake Presidents are sending us fake emails. We can’t verify the actual sender, the person, but we can analyze the message they sent for legitimacy. This of course leads to the mystical art of e-mail filtering. Email security companies study messages to look for hundreds of indicators in the messages that might signal it’s not real or that it’s not wanted. Microsoft vaguely describes this step as “content filtering” (Exchange Online Protection (EOP) Overview - Office 365, 2023). In many cases these formulas are as secret as the recipe for Coca-Cola (still secret at the time of this writing). So, often when companies buy into spam filtering solutions, they are buying the “secret sauce” along with the technology itself.
We can imagine one such rule that all emails discussing dog ownership sent on a Friday to over 200 people, will be considered junk email. If the rule leads to the desired filtering of unwanted email, it’s good. But what if we worked at Petco and 200 emails about dog ownership on a Friday is normal business? There is often going to be some doubt when filtering email messages because it’s not an exact science. That doubt is why the junk email folder exists. It is one last chance to see the messages before they are deleted in case the rules made a mistake. It’s called a folder but really, it’s a waste bin temporarily holding the garbage before trash day.
But wait! What if we are trying to send emails and we don’t want to end up in the waste bin? Email systems aren’t really designed to verify the identity of individual people, but they can provide some verification of that individuals organization. We can know, with some more accuracy, that an account from the White House sent us an email. This works because mail systems can prove their identity to each other. It takes a bit more work to set up but is significantly easier than proving the identities of every individual person sending email. If we know that a message was sent from the verified White House email service, it’s far more likely it’s a real message. With that level of confidence, the POTUS message should never go to the junk email folder by default.
It's important to remember that the junk folder stores mail the system thinks is bad or unwanted. It’s only there for a brief time before deletion. People should use caution when interacting with those messages. Don't go fishing in your junk mail folder for phishing emails! It’s also important to remember that we can do some extra work with our mail services so that they can prove their identity which helps prevent the mail we send from ending up in someone else’s junk folder. If you are the service owner of a campus system that sends emails on behalf of the college, make sure to submit an Email Request to ensure that system can be correctly recognized by our mail system.
If you need further assistance, please submit a ticket here: Email Requests, or call the IT Service Desk at (585) 395-5151 Option 1
References
Bellovin, S. M. (2004). Spamming, phishing, authentication, and privacy. Communications of the ACM, 47(12), 144. https://doi.org/10.1145/1035134.1035159
Bergholz, A., De Beer, J., Glahn, S., Moens, M.-F., Paaß, G., & Strobel, S. (2010). New filtering approaches for phishing email. Journal of Computer Security, 18(1), 7–35. https://doi.org/10.3233/JCS-2010-0371
Exchange Online Protection (EOP) overview - Office 365. (2023, February 24). https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/eop-about