All email services include a spam filter service by default – from free services such as Gmail to subscription services such as Microsoft 365. Most work in a similar way by verifying the recipient of the email, authenticating the sender of the email, comparing the sender´s IP address against a blacklisted of known spammers, and checking the content of the email for spam keywords.
These checks typically prevent the delivery of between 95% and 99% of spam emails; but, due to the volume of spam emails harboring malware or aiming to fraudulently obtain login credentials, it is in a business´s best interests to maximize the spam detection rate as much as possible. The less spam that evades detection, the less risk there is of a successful ransomware or phishing attack.
How a Basic Spam Filter Service Works
To maximize the spam detection rate, it is necessary to understand how a basic spam filter works. In most cases, when an email is received by a mail server, the first step is verifying the recipient. With a Gmail account this is straightforward because emails entering a Gmail server are only delivered to inboxes with matching recipient usernames – i.e., [username]@gmail.com. The rest are rejected.
However, with business accounts, the recipient verification process is more complicated because, as well as usernames, a business may have email accounts in the names of sales@, contact@, and/or support@. The spam filter service has to be configured so it knows where to direct emails, and what to do with those that do not have a dedicated email inbox – for example when a name is misspelled.
Emails that are not rejected are then tested to authenticate the sender. This is usually done via a series of email-authentication techniques known as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC) which can detect forged and disguised sender addresses – usually an indicator of fraud.
Thereafter, the IP address of the server from which the email was sent is compared to one or more “real-time blocklists” (RBLs). The blocklists contain the IP addresses of servers known to have previously sent spam or malware; and, if a match is found, the email is either rejected, quarantined, or sent to a spam folder depending on how the spam filter service has been configured.
Finally, the content of the email (and any attachments) is scrutinized by a keyword filter and assigned a spam confidence score. Those with a low score are delivered to their recipient, while those with a score that exceeds the spam confidence level threshold are quarantined, sent to a pam folder, or rejected – again depending on how the spam filter service has been configured.
How to Improve a Basic Spam Filter Service
There are issues with each of these processes which contribute to lower-than-acceptable spam detection rates. Anyone who has ever received an email not intended for them will appreciate that recipient verification processes are not infallible, while cybercriminals have known for a long time how to bypass authenticity checks. RBLs only identify spam emails from known sources of spam, while keyword filters can be fooled by character substitution – i.e., vi@gra, ƒree, ßuy, etc.
To overcome these issues, businesses need to look for a spam filter service that include a greylisting feature, built-in anti-virus, a keyword filter with predictive Bayesian analysis, and malicious URL protection. While not guaranteed to prevent all email-borne threats evading detection, in tests spam filter services with these capabilities have achieved a spam detection rate of 99.97% – significantly reducing the likelihood of a malware or phishing attack being successful.
Greylisting
The greylisting process occurs prior to the spam filter service performing any of its other tests. All incoming emails – except those from whitelisted sources – are returned to their originating servers, added to the originating servers´ mail retry queues, and usually returned within minutes. However, due to the volume of undelivered spam email returned to spammers´ servers, the mail retry function is most often disabled and the spam email is never returned.
Built-In Anti-Virus
Most anti-virus software works retrospectively inasmuch as users are alerted to issues only when a virus or malware is deployed on their system. Spam filter services with built-in anti-virus check emails and attachments to identify threats before email-borne threats are delivered to users and before the virus or malware has an opportunity to be deployed and infect the system. In most cases, email-borne threats are sent to a sandbox for further analysis.
Predictive Bayesian Analysis
Keyword filters with predictive Bayesian analysis are not fooled by character substitutions (i.e., vi@gra, ƒree, ßuy, etc.) and use machine learning processes to identify anomalies in the content of emails that could indicate new varieties of malware, Zero Day attacks, and phishing. This capability – along with greylisting – prevents the delivery of spam and email-borne threats from “new” sources that may not yet have been identified and added to an RBL blocklist.
Malicious URL Protection
There are several types of malicious URL protection – some offering very little “protection” because cybercriminals have learned how to mask malicious links. The best options are those with “time-of-click” protection that analyze links at the time they are clicked to protect against links to websites that appear to be safe on delivery, but that are later weaponized with malware – an ideal feature for businesses with employees who are susceptible to phishing.
Other Email Protection Features to Consider
While the above features can the likelihood of a malware or phishing attack being successful, effective email protection is not only conditional on what mechanisms are put in place, but how they can be used – and are used. For example, a business may wish to apply a high spam threshold for emails intended for the finance department, but doesn´t want to apply the same threshold business-wide because it may prevent the delivery of (for example) sales leads.
Consequently, it is advisable to implement a spam filter service with a granular and customizable policy engine to apply different policies to individual users, departments, and/or domains. You may even need to apply different outcomes to emails identified as spam or as potentially malicious per user, department, and/or domain – especially with sales leads, which can often include misspelling and common spam words which might see them rejected or automatically deleted.
However, it is important that granularity and customization do not add up to complexity. This is because, if a spam filter service is complicated to configure, mistakes could be made in the application of filtering policies which results in (for example) risky emails being delivered to the finance department, sales leads being quarantined or rejected, and email-borne threats being flagged as spam but still delivered to users´ inboxes.
Other features that businesses may wish to consider are outbound filtering – which can prevent data loss, reputational damage, and account takeovers – and on-premises filtering. Most spam filter services are cloud-based services which means data has to travel via a third party when it is delivered or sent. For businesses in regulated industries, an on-premises spam filter service can help prevent potential issues with data ownership and compliance.
See These Features in Action – Request a Demo of SpamTitan
Understandably, many businesses are reluctant to change an existing spam filter service for a new one because of the work involved in importing users, creating new policies, and getting to grips with the technology. However, not only will the effort be worthwhile, the adoption of a new spam filter service such as that provided by SpamTitan does not have a huge administrative overhead – businesses can simply place the SpamTitan filter in front of an existing service.
To see how this works – and to see all the features mentioned above in action – contact TitanHQ and book a free demo. The demo gives you the opportunity to evaluate the benefit of each feature for your business and to ask SpamTitan´s team of sales technicians any questions you have about replacing or augmenting an existing spam filter service. Remember – the less spam that evades detection, the less risk there is of a successful ransomware or phishing attack against your business.