Effective email protection prevents spam emails and email-borne threats such as malware, ransomware, and phishing. However, the effectiveness of email protection software is often dependent on two significant factors – the software´s capabilities and the flexibility of configuration.
Email protection comes with different levels of sophistication – from the basic spam filters that come with free-to-use email services, to multi-layered solutions that integrate with identity and SIEM tools. At every level of sophistication, administrators can determine how aggressively inbound mail should be filtered and what should happen to emails that are identified as spam or as threats.
However, striking the right balance between security and productivity can be a challenge. If inbound emails are filtered too aggressively, productivity will likely suffer, potential sales leads may be blocked, and business-critical communications could be sent to a spam folder. Conversely, if filtering controls are too relaxed, a higher percentage of spam and email-borne threats will evade detection.
The Typical Capabilities of Email Protection Software
Most email protection software works in a similar way. When an email enters a mail server, it goes through several front-end tests before the content is inspected for spam, email-borne threats, and compliance with email filtering policies. The front-end tests are automatic and typically verify that a destination for the email exists (recipient verification), check the originating URL against a blacklist of known sources of spam, and authenticate the sender of the email (SPF, DKIM, DMARC tests).
Thereafter, the content of the email and any attachments goes through the content filtering process to check for spam, threats, and non-compliance. Depending on the capabilities of the email protection software, it may also be scanned for viruses and malicious links embedded into the content of the email. If the email fails the content filtering process, it is sent to a spam folder or quarantined for further inspection. If it passes, the email is delivered to its intended recipient.
While these capabilities detect around 99% of spam and email-borne threats, plenty of malicious emails still manage to avoid detection. This is because cybercriminals have learned how to bypass receipt verification and sender authentication tests, disguise keywords to evade filtering policies, and mask malicious links. Furthermore, blacklists of known sources of spam work retrospectively; so, to prevent emails being rejected by a blacklist test, cybercriminals change outbound mail servers.
How Greylisting Increases the Spam Detection Rate
Email greylisting is a capability of some email protection solutions that occurs prior to the front-end tests. As soon as an email enters a mail server, unless the sender has been previously whitelisted, the email is returned to the originating outbound mail server with a request for the email to be resent. Most outbound mail servers are equipped with mail retry queues; and, if an email isn´t delivered when it is first sent, it is added to the mail retry queue and resubmitted within minutes.
When the email returns to the inbound mail server, the greylisting capability recognizes that it has been returned once already and allows it through to the front end tests. However, spammers´ servers have a large volume of emails returned to them due to their emails failing recipient verification, blacklist, and sender authentication tests. Because of the volume of returned emails, their servers´ mail retry queues are often disabled and greylisted emails are not returned.
The difference greylisting makes to the spam detection rate is significant. By returning all spam emails to their originating sources, the greylisting process not only prevents the delivery of spam emails from previously knownsources of spam, but also from previously unknown sources of spam. In tests, greylisting has been shown to increase the spam detection rate from 99% to 99.90% – not only reducing the amount of spam email that avoids detection, but also email-borne threats.
The Importance of Flexible Configuration Options
Spam detection rates – and, by association, the volume of email-borne threats that evade detection – are often dependent on how email protection software is configured. As mentioned previously, striking the right balance between security and productivity can be a challenge, but it is a challenge that can be overcome if the software has flexible configuration options that allow filtering policies to be applied universally, by domain, by department, and/or by individual user.
This degree of flexibility enables administrators to apply more aggressive filtering policies for (i.e.,) the finance team, and less aggressive filtering policies for (i.e.,) the sales team. In this way, members of the finance team could be protected from emails more likely to harbor viruses, BEC threats, and phishing attempts, while members of the sales team would still receive sales leads containing misspellings, grammatical errors, and dubious salutations.
Flexibility is not only important in terms of filtering policies, but also in terms of how suspicious emails are dealt with. For example, it should be possible to choose between rejecting suspicious emails, quarantining them in a sandboxed environment, or delivering them to a spam folder depending on the nature of the suspicion – for example, an organization might want to deal with an email with a high spam confidence score differently than an email with a banned attachment type.
Email Protection from SpamTitan
Available as a virtual appliance or as a cloud-based solution, SpamTitan is highly-effective anti-spam and anti-malware email protection solution with greylisting capabilities. SpamTitan also minimizes the volume of spam and email-borne threats evading detection by comparing inbound email against six specialist Real-Time Blocklists and by using Bayesian analysis, heuristics, and machine learning to block new varieties of phishing and Zero Day attacks before they are delivered to users´ mailboxes.
Administrators can apply granular and customizable filtering policies via a user-friendly dashboard and dictate how suspicious emails are dealt with depending on the nature of the potential threat. Dual anti-virus engines scan both inbound and outbound emails, while outbound policy scanning can be used to prevent data leaks or to identify “account takeovers” if mailboxes are compromised by cybercriminals and used to launch attacks from a supposed trusted source.
In addition, SpamTitan can be used as standalone solution to protect inboxes or placed in front of an existing email filter to enhance its capabilities. Finally, if you would like to know more about email protection, do not hesitate to contact the team at SpamTitan.com and book a demo of SpamTitan in action. The demo will give you the opportunity to ask any questions you have about SpamTitan´s capabilities and see how easy it is to configure the email protection solution to your requirements.