Email Spam Tips

We have compiled some email spam tips that will help you reduce the number of unsolicited and unwanted emails that are delivered to your employees’ inboxes.

Many businesses implement a spam filtering solution to combat spam, yet discover that even with the filter in place, spam and malicious messages make it past their controls and are delivered to inboxes. This could be due to an ineffective solution or the failure to configure the solution correctly. Many anti-spam solutions can be complicated to configure, and important settings can easily be missed.

10 Email Spam Tips that Can Improve Your Security Posture

Consider these email spam tips for improving your filtering controls and block more unwanted messages without blocking a high percentage of genuine email communications and improve your defenses against malware and ransomware attacks. In addition, our email spam tips cover some non-technical controls that will decrease susceptibility to phishing attacks.

Have You Enabled SMTP Handshake Protocols?

One of the most important first-line tests in spam filtering is an SMTP handshake – This is your mail server looking for a HELO command or a qualified or resolvable hostname. This control will ensure that any messages without a valid DNS A or MX record are rejected.

If you have clients that have incorrectly configured email servers, you should add their domains to a whitelist to ensure the messages are always delivered.

Does Your Real-Time Block List Update in Real-Time?

All anti-spam solutions use real-time block lists to identify spam and malicious messages. A real-time blocklist is a constantly updated list of IP addresses and domains that are used for spamming and sending malicious messages. Before any messages is delivered, the sender’s IP address and domain are checked against the blacklist. If present in the list, the message is not delivered. This control typically ensures 80%-90% of spam messages are not delivered. If you are still receiving high volumes of spam, your real-time block list may not be updating in real-time.

Are You Using Recipient Verification?

If an email is sent to the correct domain but the recipient name is not valid, are the messages still being delivered?

If you activate recipient verification, not only will these messages will not be delivered, they will not be downloaded, which will ease the strain on your mail server. If you upload a list of valid email addresses used by your organization to your spam filter, only messages addressed to a specific recipient will be delivered. If you don’t want to lose all those emails, set up a separate email account as a catchall where these messages are directed and periodically checked.

Have You Set an Appropriate Spam Threshold?

The easiest way to ensure the maximum number of spam messages are blocked is to set an aggressive tolerance level in your spam filter. Permissive filtering controls will see some spam emails delivered, but there will be relatively few false positives. At the aggressive level, the reverse will be true: Very little spam, but a higher percentage of genuine emails will be quarantined. Getting the optimum setting involves some trial and error, especially when trialing a new anti-spam software solution.

Does Your Anti-Spam Software Use Greylisting?

Greylisting is one of the most important controls in our email spam tips, although not all anti-spam solutions include this feature. Blacklist-based spam filters block messages from known spammers, as their IP addresses will be included in the blacklist. However, spammers frequently change IP addresses for this reason and often send small quantities of messages from each of several IPs to avoid detection. Those IPs will not be added to blacklists. There is also a delay between a new IP being used for spamming and it being included in a blacklist.

Greylisting helps in this regard. Questionable IP addresses that fail to hit the threshold for classification as spam are returned to sender with a request to resend. Since spammers’ mail servers are too busy to respond to these requests, the delay in receiving the message back is a good indication of whether the message is genuine. This feature of spam filters can be the difference between a 98% and almost 100% block rate.

Is Your Anti-Spam Solution Capable of Learning?

Anti-spam software solutions that use a Bayesian analysis to check message content for the common signatures of spam are capable of learning and getting better over time. Since spamming tactics change over time, this method ensures new spamming tactics are identified and incorporated into the filtering controls. If end users are trained to tag emails as spam, it will speed up training of your spam filter. This is an important control but one of our email spam tips that you may not be able to apply. If your anti-spam solution does not include this feature, consider upgrading.

Are You Blocking Specific Types of File Attachments?

You should have configured your anti-spam solution to block emails containing specific types of file attachments commonly used by cybercriminals to install malware. It is not practical to block all types of file attachments, but if your solution supports MIME filtering you should certainly block executable files with the extensions .exe, .bat, .scr, and .js etc.

Are You Analyzing Hyperlinks in Inbound Mail?

Malicious email attachments are relatively easy to detect and most end users are aware that they shouldn’t open attachments from unknown senders. Hyperlinks sent in messages are another matter. Many employees click on links in emails, regardless of who sent the message.

While separate solutions – web filters – can offer greater protection, make sure your spam filter is capable of inspecting hyperlinks and incorporates URIBL and SURBL protocols to block malicious URLs – Those that have previously been used in spamming and phishing campaigns or have been reported as malicious.

Use Group Settings for Tailoring Controls to Risk Level

While mass email campaigns are still conducted, cybercriminal gangs are increasingly using smaller, targeted campaigns to attack organizations. These spear-phishing campaigns target high-value individuals in an organization, notably the C-suite and accounts/payroll staff and often bypass permissive spam filtering controls.

If your spam filtering solution allows it, set different controls for different users based on the level of risk. Use more aggressive filtering controls for the email accounts of the CEO, CFO, high-level executives, and accounts/payroll staff. Less restrictive controls can be applied to the sales and marketing department.

Don’t Neglect End User Training

Even the most advanced spam filtering solutions will not block all spam emails, at least not without also blocking a high percentage of genuine messages. It is therefore important to ensure your employees are trained how to respond when potentially malicious messages arrive in their inboxes. Arguably, this is the most important measure to implement out of all our email spam tips.

Identifying malicious messages is a skill that not every employee possesses. You should ensure that training is provided to teach the workforce to be more security aware, train end users on security best practices, and tell them how to identify phishing emails.

The best security awareness training programs are ongoing and involve phishing simulations. Ongoing training helps organizations develop a security culture, while phishing simulations can gauge the effectiveness of training programs. When a phishing simulation is failed, it can be turned into a training opportunity.

Summary of our Email Spam Tips

If you implement all our email spam tips, you should be able to reduce the volume of unwanted messages that are delivered to inboxes, improve protection from viruses and malware, and ensure your staff are prepared and know how to deal with malicious messages when they are received.

A summary of our email spam tips is listed below:

  • Ensure your anti-spam solution performs an SMTP handshake
  • Make sure your blacklists are updated in real-time
  • Verify recipients to block emails sent to email addresses commonly used by spammers such as info@, webmaster@, and admin@
  • Make sure you set the correct spam threshold – Adjust your settings to balance email blocking and false positives
  • Choose an anti-spam solution that gets better overtime and learns from user behavior
  • Ensure emails with attachment types commonly used to install malware are quarantined
  • Ensure hyperlinks in messages are scanned and assessed against URIBL and SURBL protocols
  • Set different filtering controls for users and groups based on risk
  • Conduct ongoing employee training and use phishing simulations to develop a ‘security aware’ culture

FAQs

How does a spam filter block email impersonation attacks?

Email impersonation attacks involve the spoofing of email addresses. To block these attacks, spam filters incorporate SPF, DKIM, and DMARC to identify whether the sender of an email is authorized to use that email domain. If the sender is not authorized to send emails from a particular domain, the email will be rejected or quarantined.

What is greylisting?

Greylisting is a mechanism used by some spam filters for identifying spam and phishing threats sent from previously benign IP addresses. Greylisting involves initially rejecting an email and requesting the message be resent. Email servers used for spamming do not typically respond quickly and the request times out. This is a good indicator of whether an email is spam.

Why should I scan outbound emails?

Outbound email scanning is important for detecting compromised mailboxes and insider threats. Spam filtering solutions with outbound scanning can block phishing and malware-laced emails that are sent by insiders and from compromised corporate email accounts. Some solutions have data loss protection mechanisms that can block attempts to send prohibited data externally via email.

Can separate email filtering policies be applied for different departments?

Different departments are likely to require different spam filtering settings. Most spam filters allow policies to be set at the organization, department, user group, and individual user level. This is usually achieved through integration with directory services such as AD and LDAP.

What happens to emails that are blocked by a spam filter?

Spam filters can be configured to reject, delete, quarantine, deliver messages to an individual’s spam folder, or send messages to inboxes with warnings that messages may be malicious. System administrators can set rules on how messages will be treated through the administration panel of the solution based on the results of HELO, DKIM, and DMARC tests, sender policy frameworks, and other spam filtering checks.