An EZ Guide to Mail Filters

Now why did that go into Spam?

As it is with most crimes, spam is a game of cat and mouse.  The ‘bad guys’ staying ahead of the ‘good guys’ or in our case, the spammers figuring ways to defeat mail filters.  Every anti-spam device or filter system has a different approach to catching spam, but they all do the same three things: scan the email headers for dishonesty or malice, compare the senders to known spammers already on blacklists, and content filtering for patterns normally seen in spam.

Header Data

Each message that is sent contains a lot of text that you as  a user never sees.  That’s the header.  It contains useful things like the address of each server that’s handled the mail, dates, times, and security signatures.  The mail filter looks though the header, and attempts to find deceptive patterns.  Did the mail come from instead of  Maybe the email was addressed as coming from, but it was really sent by  The mail filter would see that g00gle and google aren’t the same, and neither are joe_smith and iamaspammer and filter both out of the mail system.


Lists of known spammers are kept by a number of different services.  The lists are built from ISP’s, email providers and even you when you report an email as spam.  Most mail filters or devices continually check email against these lists to keep spam at a minimum.  Most spammers have ways to disguise their headers to make their mail look legitimate, so a secondary check against known spammers filters more spam out of the system.


The opposite of a blacklist, a whitelist is the list that is always allowed to be delivered.


Greylisting is a method of defending e-mail users against spam. A mail transfer agent (MTA) using greylisting will “temporarily reject” any email from a sender it does not recognize.

Content Filtering

Most good mail filters can ‘read’ each message for telltale clues for spam.  Emails that have .exe attachments, links to blacklisted websites, or certain keywords will almost always be flagged as spam.  Unfortunately, it can also cause false positive results if the filter is looking for word patterns and one happens to fit.

With the system that we use,  it also has machine learning.  No, Skynet isn’t reading your mail – yet.  It does however use statistical analysis to score the mail that is coming into the system.  You as a user can mark a message as spam and the system then can churn through all messages flagged as spam, adjust the scoring and the spam filter ‘learns’.  The downside to users marking messages as spam, is that you have to be sure the message is actually spam and not an unwanted message.  If you are marking legitimate messages as spam, and not unsubscribing from the sender, you run the risk of poisoning the filter for all users.

You can fine tune your mail filter.  I will show you how in this month’s newsletter.  If you are not subscribed yet, be sure you do!