Spam Filtering Software

The first spam filter was developed in the 1990s to address a growing problem of unsolicited and unwanted emails. Two software engineers compiled a list of IP addresses that were sending the messages and created a blacklist which was made available to subscribers of the Mail Abuse Prevention System. While initially developed to deal with nuisance emails, spam filters now have to block far more sinister threats and in much more significant volumes.

The same blacklist system is still in use today. It is known as the Domain Name Server Blackhole List or Real-time Blackhole List (RBL). It contains the IP addresses of known spammers and is constantly updated. The blacklist is one of the key mechanisms for identifying spam emails and is at the heart of modern spam filters.

Spammers are constantly changing tactics to bypass RBLs and ensure their emails reach inboxes. Domains are used for very short periods before being abandoned, or thousands of domains are used to send small batches of emails at levels where spamming is unlikely to be detected. Blacklists are still important for blocking nuisance emails, but alone they will do little to block more sophisticated threat actors and more sinister threats.

The Importance of Spam Filtering Software

Email is the malware delivery vehicle of choice for cybercriminals and the main way hackers gain access to healthcare networks. Figures from Verizon indicate 66% of all malware infections in the healthcare industry were the result of employees opening infected email attachments.

Phishing attacks on healthcare organizations are increasing and barely a day goes by without another report of a healthcare phishing attack. Each year, scores of businesses are fooled into disclosing W-2 Form data and making fraudulent wire transfers.

With appropriate technical solutions, policies, procedures, and staff training, it is possible to mount a robust defense against phishing attacks. Without effective spam filtering software in place, healthcare organizations will not be able to manage and reduce threats to an acceptable level and data breaches and regulatory fines are likely to follow.

Key Features of Spam Filtering Software

The use of blacklists is a common feature of spam filtering software, but in order to protect against more sophisticated attacks, additional mechanisms must be employed. Modern spam filters use an array of additional mechanisms to detect malicious messages and sophisticated phishing attacks.

DMARC Authentication

DMARC is used to authenticate authorized users of a domain and detect email spoofing and brand impersonation attacks.

Sandboxing

Sandboxing capabilities allow deeper analysis of suspicious email attachments. File attachments are executed in a safe environment and studied for malicious actions.

Content Analysis

Machine-learning systems scan and analyze message content for spam signatures and assign confidence scores to messages. Messages are only delivered if the score is below a pre-defined threshold.

SURBL/URIBL filtering

A technique used to filter out phishing emails and reject, quarantine, or flag messages with suspicious embedded hyperlinks.

Greylisting

Greylisting is the process of requesting the resending of an email. Normal mail servers respond quickly, whereas spamming servers are typically too busy to respond. Time delays are a good indicator of the trustworthiness of the mail server.

Outbound scanning

Scanning of outbound messages for malicious attachments, phishing and spam, to help detect account breaches and prevent domain blacklisting

An Essential Part of Your Cybersecurity Defenses

An advanced spam filtering solution will achieve a spam detection rate in excess of 99.9% and will have a low false positive rate under 0.05%. Over time, machine-learning systems will improve detection rates further, but it is not possible to block all spam and malicious messages.

Cybercriminals are constantly developing new methods of attack and are perfecting their email spam campaigns. New fileless malware variants are being used and other methods of obfuscation are employed to hide malicious code. Spam filtering software will block the majority of threats, but it is inevitable that some malicious messages will slip through the net and be delivered to inboxes. It is therefore essential for all staff to be provided with regular security awareness training and taught to be alert to email threats.

FAQs

Does Office 365 have a built-in spam filter?

Microsoft Office 365 includes a basic spam filter – Exchange Online Protection (EOP) – that is included in the license cost. EOP is effective at identifying spam email and will block known malware threats, but many businesses find the level of protection against phishing and spear phishing attacks to be insufficient and augment EOP with a third-party spam filter.

What is greylisting?

Greylisting is an option in some spam filtering solutions which can greatly improve spam detection rates. When this feature is enabled, messages are initially rejected, and a request is sent to the sender to resend the message. The time taken for a response is a good indicator of whether the mail server is being used for spamming. Spam servers typically do not respond before the request times out.

Does greylisting delay the delivery of genuine emails?

When greylisting is enabled, there will typically be a delay in delivering genuine emails to inboxes. While this delay is typically a few minutes, to ensure that important messages are not delayed, trusted IP addresses and domains can be whitelisted, which will prevent the greylisting process being used on those IP addresses.

What is email content filtering

Email content filtering involves scanning the message body and searching for known signatures of spam and phishing emails. The content of the email is assessed for phrases, grammar, keywords, and hyperlinks and the messages is assigned a ‘spam score’ that is used to determine the likelihood of the message being spam. Administrators can set spam tolerance thresholds. If the spam score exceeds the threshold, the message will be sent to the spam folder.

Why is outbound email scanning important?

Spam filters scan all inbound messages, but outbound scanning is also important. If a mailbox is compromised in a phishing attack, the outbound email filter will detect if the mailbox is used to send phishing or spam emails. Outbound filters also provide data loss protection and can identify and block attempts by malicious insiders to send sensitive data to external email addresses.