The first rudimentary anti-spam software was developed in the mid-1990s in response to an increase in bulk, unsolicited emails. The system consisted of little more than a list of IP addresses that were being used to send large volumes of messages such as offers of cheap medications, watches, marketing messages, and more malicious content such as viruses and worms.
The email blacklist was the brainchild of Internet software engineers, Dave Rand and Paul Vixie, who added IP addresses to the list if they were being used for any objectionable behavior. The software engineers used a DNS-based distribution system to share the list, which proved to be extremely popular with businesses. The list served as a Border Gateway Protocol to which individuals could subscribe to prevent mass emails from reaching their inboxes.
So popular was the Mail Abuse Prevention System – MAPS for short – that it formed the basis of a not-for-profit organization dedicated to ridding email systems from the scourge of unwanted and unsolicited email messages. The blacklist of decidedly dodgy IP addresses soon became known as the Real-Time Blackhole List (RBL) that exists to this day.
Back in the mid-1990s, spam email volume was relatively low and the emails were little more than a nuisance. Fast forward to today and more than half of all emails are spam or junk and just 45.4% of emails are genuine. Office-based workers in the United States receive an average of 121 emails a day, which means 66 messages are likely to be unwanted, unsolicited, and potentially malicious.
Within the 54.6% of emails considered to be spam are some serious cybersecurity threats. Email is the primary method of delivering malware, ransomware, botnets, and viruses and email is the main attack vector used for phishing. These malicious messages are more than just a nuisance. They can allow hackers to gain access to business networks, steal sensitive data, and take full control of an organizations’ systems.
Without an RBL or anti-spam software, those malicious messages would arrive in inboxes and would potentially be opened by employees. Given the volume of spam email now being sent, anti-spam software is now essential for businesses. Unfortunately, a simple RBL is no longer enough as spammers and scammers are constantly changing IP addresses to ensure that their messages are not flagged as spam. If an IP address is not on an RBL, the message will be delivered.
Modern Anti-Spam Software
Modern anti-spam software solutions use a range of different methods to separate the good from the bad. RBLs are still a fundamental part of anti-spam software. If an IP address is being used for spamming, the RBLs will ensure that any incoming emails from that IP address are forwarded to a quarantine folder.
An IP address that has never been used for spamming could be used to send mass emails. The IP address would only be added to the list when the first reports of spamming are received. To catch spam email from IP addresses with a good reputation, additional controls are required.
Email authentication protocols are incorporated into most modern anti-spam software solutions in addition to RBLs.
Sender Policy Framework (SPF) is a mechanism of checking that the person sending a message is authorized to send emails from that domain. Domain-based Message Authentication, Reporting and Conformance (DMARC) is an extension of SPF, and allows domain owners to protect their domains from unauthorized use and is important for blocking phishing and business email compromise attacks. If an organization publishes a DMARC record, any email server can authenticate messages against that record. Recipient Verification Protocol is used to make sure that recipient email addresses are valid. If an email is sent to a non-existent email address at an organization, that message will not be delivered.
Content analysis tools are also required. These tools scan the content of messages and message headers and search for words, phrases, and content commonly associated with spam email – multiple embedded hyperlinks for example. A Bayesian analysis may also be performed by anti-spam software to determine the probability that a message is spam.
Anti-spam software also incorporates anti-virus controls to identify malware and malicious scripts in email attachments. Signature-based anti-virus controls check email attachments for malware and malicious code.
Advanced Anti-Spam Detection Methods
The above methods used by anti-spam software may be sufficient to block up to 99% of spam email, but to block the remaining 1%, additional, more advanced spam detection methods are required.
Greylisting is a technique whereby emails are rejected, and a request is made to the originating server for the message to be resent. Since mail servers used for spamming are usually too busy conducting huge spam runs, the messages are never resent or are delayed. The time it takes for the message to be resent – if it is at all – is an indicator of whether the mail server is being used for spamming.
SURBL/URIBL filtering is a spam filtering technique that scans messages for embedded hyperlinks and assesses whether they link to malicious or suspicious domains. When a domain or webpage is identified as malicious, the URL is added to a blacklist like an RBL. Spam filtering solutions check these lists to determine whether embedded hyperlinks are malicious.
SMTP controls are used to reject messages from non-fully qualified MAIL FROM commands or messages from domains without an MX or DNS A record.
Signature-based malware detection only identifies known malware. To block zero-day malware – brand new malware variants – a sandbox is required. Suspicious attachments are executed in the sandbox and their actions are studied for signs of malicious activity.
With these and other advanced techniques, catch rates can be increased to more than 99.9%.
How to Choose Anti-Spam Software
There are many factors to consider when choosing the best anti-spam software for your business. The most expensive solutions are not necessarily the best. Many lower cost solutions will provide an equal, if not better level of protection than some of the more expensive offerings. They may also be much easier to implement, configure and maintain.
Ideally, check third-party review sites to find out from users how the product performs and how easy it is to use. Also take advantage of any free product trials to assess the solution in your own environment to see how effective it is at blocking spam and malicious messages.
While all commercial spam filters will block spam email and known malware, to protect against zero-day attacks and sophisticated email threats you will need a more advanced solution. All it takes is for one malicious message to reach an end user’s inbox and attract a click for malware to be installed or credentials to be compromised. It is therefore advisable to choose a solution with the advanced detection methods detailed above. That way you can be sure that your email system will be well protected against the full range of email-based threats.