Email security overview

At the University, there are a number of measures in place to try to protect you from receiving malicious or unwanted email.

When an email is sent and received, it goes through a number of checks:

  • Checks at Source
    Some security checks are likely to be made by the sender's email provider.
  • Transmission over the internet
    Email successfully leaving the sender's site, will pass over the internet to the destination address site. Usually it will pass through one or more relays in order to route it to the correct site.
    As the email passes over the internet, entries are added to the email header identifying the relays. 
    The receiver can then determine the route taken by looking at the headers in the email.
  • Real Time Blocking Lists
    When it arrives at one of the University's core email servers,  real-time blocking lists (RBLs) are used to decide if it is safe to accept the email at Leeds. - See Real-time blocking lists
  • Core Email Server Whitelist and Blacklists
    Following checking against the RBLs, local blacklist and whitelist files are consulted to see if the email should be passed on for virus and spam checking - see Core Server Blacklists and Whitelists

Once email has passed the last two tests, it will be passed on to be analysed by PureMessage, our virus/spam checking software.
This software is highly configurable, and administrators at the University can decide the sequence in which analysis is carried out and what actions to take if certain conditions are met.

  • Virus Scanning
    Initially the message is checked for viruses. If it appears to contain a virus, the email will be rejected, with an appropriate message being sent back to the sender.
  • Attachment Checks
    Following virus scanning, PureMessage will remove any attachments which appear to be suspicious.
    If an attachment is removed, a message will be added to the subject of the email to tell you this has occured.
  • SPAM Probability Calculated.
    At this stage the SPAM probability of the message is calculated (ie how likely it is that the email is SPAM). 
    This measure will be used to determine various actions to be taken later.
  • PureMessage Managed Quarantine Whitelists
    Before using the SPAM percentage to determine if a message should be quarantined, PureMesage consults internal whitelists. These whitelists determine if the message should be automatically passed on to you regardless of the measured SPAM count. 
    A global whitelist is managed by the email administrators but in addition you can manage your own whitelist
  • Puremessage Managed Quarantine Blacklists
    Internal blacklists are consulted after the whitelists to determine if a message should be automatically quarantined regardless of the measured SPAM probability. 
    As with quarantine whitelisting, you can manage your own blacklist
  • Quarantining of email with SPAM probability >= 50%
    If the message reaches this test and has a SPAM probability equal to or greater than 50%, the message will be quarantined.
    You will get a daily digest which lists any emails that have been quarantined in the last 24 hours. You can use the information in this list to decide if you want to release any of the messages from quarantine.
    The digest will include messages quarantined due to blacklisting as well as those quarantined because the SPAM percentage is >= 50%.

Malicious email and scams

The University is currently seeing an increased amount of malicious email. The latest ‘attack’ appears to have tricked a number of colleagues; at least one person has had their personal bank accounts compromised. Please read the rest of this email to ensure you are aware and prepared.

What do we mean by ‘Malicious email’

In this context malicious email is one which has been sent with criminal intentions – for example:

  • Phishing emails - An email designed to trick you into revealing your password or other details, possibly by asking you to follow a link in the email. The link in these emails actually takes you to a malicious website which may look very realistic, but in fact is controlled by criminals.
  • Malware attachment – An email designed to trick you opening an innocent looking attachment which actually contains malware. Malware is an umbrella term used to describe hostile software. Examples of malware are:
  • Ransomware – Malicious encryption of your files with a ransom demand for a password to restore them
  • Keylogger – Hidden software that monitors your key strokes to get your username and passwords to websites (such as your online banking credentials)

What are IT doing to protect me?

The University has sophisticated filters that attempt to protect you from ever receiving malicious emails and spam emails (unwanted adverts). All computers supported by IT have antivirus software installed which acts as a second line of defence. Unfortunately, the perpetrators of malicious email are aware of these defences and are constantly innovating, and the latest attack is sophisticated in that no two emails are the same. If you do receive a spam email you can forward it as an attachment (Control + Alt + F) to This will allow it to be added to our spam filters which will automatically block such emails in future.

What can I do to protect myself?

Please be extra vigilant when opening emails. Remember:

  • Be very wary of email attachments - if you're not sure who an attachment is from or whether it is genuine, do not open it.
  • Never allow macros (eg in Word or Excel) to run unless you are sure they are genuine and safe.
  • The University (or any other reputable company) won't ask you to reply to an email with your username, password or other information like bank account details in an email. NEVER reply to these emails.
  • If you are asked to click on a link, type the link into your browser rather than clicking on it directly. Sometimes links in emails look genuine but would actually send you to a different site.
  • Don't fill in any attached forms that ask for your username and password or other personal details. We will never ask for your details in this way.

If you think you have responded to a spam email or opened an attachment with malware in please contact the IT Service Desk (, tel 0113 343 3333) immediately. For more information see the Information Security website ( including Phishing advice and information on viruses and malware.