As far back as the 1990s, anti-spam software originated when two engineers began making a list of the IP addresses they had received unwanted emails from. That list was then distributed as a Border Gateway Protocol to subscribers of the “Mail Abuse Prevention System” (“MAPS” or “SPAM” spelt backwards), which then became the Domain Name Server Blackhole List (often called the Real-time Blackhole List or “RBL”)
Over 20 years later, the RBL is still the primary mechanism used by anti-spam software to detect unsolicited emails. However, because of the constant advances and sophistication of methods used by spammers and cybercriminals, RBL filters cannot defend against threats such as malware and ransomware alone.
Outbound scanning is a feature too often overlooked by a business considering anti-spam software but is a very important factor. In this process IP addresses are given a reputation score based on their histories. Due to this, in the case of a spam email being sent, it will negatively affect the respective IP addresses reputation.
An email carrying malware or considered spam-like by a content analysis tool does not necessarily mean that the businesses network has been accessed by a botnet, but could be caused by an employee sending emails with spam-related keywords. Nonetheless, if sufficient numbers of recipient mail is filtered as spam, it will result in the businesses IP address reputation going down to the point where all emails originating from there will fail to be delivered. Outbound scanning targets outgoing emails containing malware or with a high spam score and either deletes the email, quarantines it or flags it to the administrator in a report.
Even the highest level of anti-spam software cannot block all phishing threats, and should an employee fall victim to a phishing scam and disclose private data, or the data is obtained through threat or other means, the email account will be accessed and used to send phishing emails internally or to business contacts and customers. Outbound scanning of emails will help identify these breaches efficiently to allow an appropriate defence mechanism to occur. Outbound scanning also serves as a data loss prevention mechanism to identify attempts by malicious insiders to send sensitive data externally to a personal email account. Spam filters allow tags to be applied to certain types of data such as Social Security numbers to prevent emails involving this data to be sent.
Even with email services regularly updating their Real-time Blackhole Lists, RBLs only target spam from known sources or IP addresses with a spamming history. RBLs detect roughly 97%-98% of spam mail, but spammers frequently change their IP addresses and domains – often compromising legitimate email accounts and using them for spamming. RBLs are ineffective at blocking these new spam emails and anti-spam software without adequate features will allow between 1% and 3% of spam through.
A vast amount of spam mail is now sent from botnets from trusted IP addresses. This happens when a spammer has accessed a device with its internet connection and sends spam mail from the compromised “zombie” device using command and control malware. The latest Internet Security Threat Report calculates there are more than 98.6 million bot-infested zombie devices out there.
Although the Sender Policy mechanism may detect some emails sent from these accounts, it cannot detect them all – often exposing businesses to BEC and phishing attacks. Due to this, in order to effectively defend users against email-based threats, businesses need to use advanced anti-spam software provided by a dedicated software specialist and not rely on basic anti-spam software implemented by the email service.
We have analyzed the costs of the most popular and highest rated business spam filtering software and the 2022 prices vary from $1.08 per user, per month for SpamTitan from TitanHQ to $4.50 per user per month for Mimecast Email Security, with most solutions falling in the price range of $2.60 -$3.60 per user, per month.
Sandboxing is the term given to an isolated, secure environment that mimics end user operating environments where potentially unsafe code is run, and untrusted files are opened. By opening untrusted files and running unknown code in a sandbox, threats can be identified and blocked. Spam filters with sandboxing are recommended as not all malware are detected by the anti-virus engines of spam filters.
Some spam filters use greylisting to detect spam emails. Greylisting involves initially rejecting non-whitelisted sources of email and requesting emails be resent. Since mail servers used for spamming are typically too busy to respond to these requests, the delay in the resending of an email is a good gauge of whether the message is spam. Greylisting can significantly improve spam detection rates.
Spam filters reduce the volume of spam and malicious emails but will not block every single spam and malicious message without also blocking some legitimate emails. There is a trade off between the level of protection and the number of false positives and it may take a little tweaking of your spam filtering settings to find the right balance.
It is a good idea to choose a spam filter with outbound scanning to prevent mailboxes from being used to send spam, to identify potentially compromised mailboxes, and for data loss protection. Some spam filters allow certain data types to be tagged to prevent employees from sending data externally – to personal email addresses for example.