An EZ Guide to Mail Filters

Now why did that go into Spam?

As it is with most crimes, spam is a game of cat and mouse.  The ‘bad guys’ staying ahead of the ‘good guys’ or in our case, the spammers figuring ways to defeat mail filters.  Every anti-spam device or filter system has a different approach to catching spam, but they all do the same three things: scan the email headers for dishonesty or malice, compare the senders to known spammers already on blacklists, and content filtering for patterns normally seen in spam.

Header Data

Each message that is sent contains a lot of text that you as  a user never sees.  That’s the header.  It contains useful things like the address of each server that’s handled the mail, dates, times, and security signatures.  The mail filter looks though the header, and attempts to find deceptive patterns.  Did the mail come from g00gle.com instead of google.com?  Maybe the email was addressed as coming from joe_smith@smithco.com, but it was really sent by iamaspammer@spamco.com.  The mail filter would see that g00gle and google aren’t the same, and neither are joe_smith and iamaspammer and filter both out of the mail system.

Blacklists

Lists of known spammers are kept by a number of different services.  The lists are built from ISP’s, email providers and even you when you report an email as spam.  Most mail filters or devices continually check email against these lists to keep spam at a minimum.  Most spammers have ways to disguise their headers to make their mail look legitimate, so a secondary check against known spammers filters more spam out of the system.

Whitelisting

The opposite of a blacklist, a whitelist is the list that is always allowed to be delivered.

Greylisting

Greylisting is a method of defending e-mail users against spam. A mail transfer agent (MTA) using greylisting will “temporarily reject” any email from a sender it does not recognize.

Content Filtering

Most good mail filters can ‘read’ each message for telltale clues for spam.  Emails that have .exe attachments, links to blacklisted websites, or certain keywords will almost always be flagged as spam.  Unfortunately, it can also cause false positive results if the filter is looking for word patterns and one happens to fit.

With the system that we use,  it also has machine learning.  No, Skynet isn’t reading your mail – yet.  It does however use statistical analysis to score the mail that is coming into the system.  You as a user can mark a message as spam and the system then can churn through all messages flagged as spam, adjust the scoring and the spam filter ‘learns’.  The downside to users marking messages as spam, is that you have to be sure the message is actually spam and not an unwanted message.  If you are marking legitimate messages as spam, and not unsubscribing from the sender, you run the risk of poisoning the filter for all users.

You can fine tune your mail filter.  I will show you how in this month’s newsletter.  If you are not subscribed yet, be sure you do!