As far back as the 1990s, anti-spam software originated when two engineers began making a list of the IP addresses they had received unwanted emails from. That list was then distributed as a Border Gateway Protocol to subscribers of the “Mail Abuse Prevention System” (“MAPS” or “SPAM” spelt backwards), which then became the Domain Name Server Blackhole List (often called the Real-time Blackhole List or “RBL”)
Over 20 years later, the RBL is still the primary mechanism used by anti-spam software to detect unsolicited emails. However, because of the constant advances and sophistication of methods used by spammers and cybercriminals, RBL filters cannot defend against threats such as malware and ransomware alone.
Outbound scanning is a feature too often overlooked by a business considering anti-spam software but is a very important factor. In this process IP addresses are given a reputation score based on their histories. Due to this, in the case of a spam email being sent, it will negatively affect the respective IP addresses reputation.
An email carrying malware or considered spam-like by a content analysis tool does not necessarily mean that the businesses network has been accessed by a botnet, but could be caused by an employee sending emails with spam-related keywords. Nonetheless, if sufficient numbers of recipient mail is filtered as spam, it will result in the businesses IP address reputation going down to the point where all emails originating from there will fail to be delivered. Outbound scanning targets outgoing emails containing malware or with a high spam score and either deletes the email, quarantines it or flags it to the administrator in a report.
Even the highest level of anti-spam software cannot block all phishing threats, and should an employee fall victim to a phishing scam and disclose private data, or the data is obtained through threat or other means, the email account will be accessed and used to send phishing emails internally or to business contacts and customers. Outbound scanning of emails will help identify these breaches efficiently to allow an appropriate defence mechanism to occur. Outbound scanning also serves as a data loss prevention mechanism to identify attempts by malicious insiders to send sensitive data externally to a personal email account. Spam filters allow tags to be applied to certain types of data such as Social Security numbers to prevent emails involving this data to be sent.
Even with email services regularly updating their Real-time Blackhole Lists, RBLs only target spam from known sources or IP addresses with a spamming history. RBLs detect roughly 97%-98% of spam mail, but spammers frequently change their IP addresses and domains – often compromising legitimate email accounts and using them for spamming. RBLs are ineffective at blocking these new spam emails and anti-spam software without adequate features will allow between 1% and 3% of spam through.
A vast amount of spam mail is now sent from botnets from trusted IP addresses. This happens when a spammer has accessed a device with its internet connection and sends spam mail from the compromised “zombie” device using command and control malware. The latest Internet Security Threat Report calculates there are more than 98.6 million bot-infested zombie devices out there.
Although the Sender Policy mechanism may detect some emails sent from these accounts, it cannot detect them all – often exposing businesses to BEC and phishing attacks. Due to this, in order to effectively defend users against email-based threats, businesses need to use advanced anti-spam software provided by a dedicated software specialist and not rely on basic anti-spam software implemented by the email service.