Spam Filter Service

One of the most important factors in email protection is implementing a spam filter service with a high spam detection rate that adapts quickly to new threats or when cybercriminals find ways to circumnavigate existing security controls.

Cybersecurity is always evolving in order to keep pace with the increasing sophistication of cyberthreats; but, in the context of email protection, some spam filter services evolve slower than others. This can result in exploitable gaps in cybersecurity defenses and leave businesses vulnerable to malware, ransomware, and phishing attacks.

Take Office 365 for example. Widely criticized in 2018 for having below average spam detection rates (even with Advanced Threat Protection), Microsoft was keen to announce DMARC support across all Office 365 email platforms in 2019. However, within a year, hackers had found eighteen ways to bypass the sender authentication mechanism.

Microsoft is yet to react to the ease with which cybercriminals can circumnavigate sender authentication mechanisms or resolve issues with the Safe Links capability, which can be bypassed with IP traffic misdirection or obfuscated with SiteCloak software – notwithstanding that most users cannot distinguish whether rewritten “Safe Links” are safe or not.

Safe Links

How to Ensure a High Level of Email Protection

Ensuring a high level of protection does not have to be complicated nor expensive. Simply implement a spam filter service with capabilities such as automatic greylisting, predictive Bayesian analysis, and “time-of-click” URL protection. These three capabilities can respectively:

  • Prevent spam and email-borne threats entering the mail server.
  • Identify potential threats that have bypassed front-end tests.
  • Alert users to seemingly safe links that have been weaponized post-delivery.

Automatic Greylisting

Greylisting is a process that automatically returns incoming emails to their originating servers unless the IP address of the originating server has been previously whitelisted. As with any undeliverable email, the greylisted email is added to the originating server´s mail retry queue and resubmitted within minutes. On its return, the greylisting capability recognizes it has already been returned once and allows it through to the front-end tests (recipient verification, sender authentication, etc.).

Spammers´ servers usually have the mail retry function disabled due to the vast number of returned mails they receive. This means that greylisted spam emails are rarely returned with the chance to bypass front-end tests or evade detection in the analysis stages. In tests, automatic greylisting has achieved spam detection rates of 99.9%. As most spam contains malware and/or malicious links, this high spam detection rate can significantly improve a business´ security profile.

Predictive Bayesian Analysis

Usually, a spam filter service will include an analysis feature that scans the content of emails looking for “spam trigger words” – words commonly used in spam and malicious emails. In many cases, the feature is dictionary-based and will cover some, but not all, types of character substitutions (i.e., vi@gra, ƒree, ßuy, etc.). This features usually calculates a Spam Confidence Score based on the frequency of the trigger words and flags any that exceed a user-defined threshold.

With predictive Bayesian analysis, the analytical feature also “learns” the nature of content and the language used in email communications. This enables the feature to recognize anomalies in emails that could represent potential threats. Emails that fail the analysis – even though they may have passed the front-end tests – are either flagged to the end user or quarantined in a sandbox environment for human analysis depending on how the capability has been configured.

“Time-of-Click” URL Protection

Office 365 is not the only spam filter service that scans URLs embedded in emails to ensure they are “safe”. Many services check URLs against database of known links to phishing sites during the analysis process or as an independent operation. The issue is that scans are usually conducted at the point of delivery, rather than at the time the user clicks on a link once the malicious email has been delivered to their inbox. Sometimes this can be hours or days later.

One of the latest methods used by cybercriminals to get malicious emails past the URL analysis stage is to embed a harmless link into the email and then weaponize the target page after the analysis has been conducted. To adapt quickly to this threat, some spam filter services have added a time-of-click scan at the time the link is clicked in order to check the safety of the target page for a second time. If the second scan identifies a threat, the user will be prevented from visiting the target page.

Which Spam Filter Service Includes these Features?

Based on subscriptions, one of the most popular spam filter services to include these features is SpamTitan. SpamTitan is available as both a cloud or on-premises solution, and one of its major benefits is that it does not have to be used as a standalone spam filter service. SpamTitan can be implemented in front of an existing spam filter service (i.e., Office 365) to ensure a high level of email protection throughout the whole business and across all domains.