Blog

How our spam filtering works

As we've noted in earlier posts, Exigent provides spam & malicious attachment filtering for most of its clients. We sometimes get questions regarding a new influx of spam or an email that was reportedly sent but never arrived. I'll provide some insight into how the spam filtering works. Let's start with this illustration:

For security, the internet never talks directly to your mail server. Instead, all mail is delivered to our filtering server first. In fact, there's even a spam check that occurs before the mail arrives at our filter.

When a random internet computer contacts our filter with mail for your domain, our filter first checks the general reputation of the sending computer. If it's particularly bad, usually for sending large quantities of spam, its address will appear on a public blacklist. In this event, the mail isn't accept for further handling, but rather is rejected outright and the sender (in the "From:" line) is notified.

Assuming the sending computer isn't on a blacklist, the mail is accepted by our filter, at which point it undergoes a statistical analysis of the body and other information. Forbidden (that is, potentially dangerous) attachments are removed and replaced with a notice at this stage too.

Our filter's analysis issues it a spam score based on the characteristics of the message. These characteritsics include things like: are prescription drugs discussed? Big flashy headlines? Lots of all-capital lines? Is the entire message body an image, or mostly images? Have lots of other filters on the internet seen a very similar message recently? Are there links to known malicious or spammy sites in the message? All of these things contribute to a higher spam score.

If the message's spam score exceeds a threshold we set for your organization, it's never delivered to your email server, and thus, if by chance a message is being blocked at our filter, adding the sender to the "Safe Sender" or similar list in Outlook won't help. 

Fortunately, over 98% of the inbound mail we filter for all of our clients is already filtered as spam. That's a lot!

We sometimes get asked to "block this example of spam", especially when a new wave of spam starts being sent, with slightly different characteristics in order to slip past everyone's spam filters. Sadly, we're usually unable to instantly block these things, since things like the "From:" address is set to a random and phony address for each and every message. The spammers even send from many, many computers, many hijacked with malware,  in order to make the job of blocking spam harder. We just have to give the whole internet and our filter a little time to examine many examples of this kind of spam and catch up. The spammers know this too, and thus they craft new kinds of spam every so often as filters improve their effectiveness.

We do have some a few individuals that end up preferring to have the most egregious spam filtered by our filter, but then let everything else through and let their copies of Outlook sort it out. This helps ensures they never have legitimate mail marked as spam when it wasn't. In this scenario they are still protected by our malicious attachment filtering.

For the time being, with the current design of the internet, there's no easy fix for spam, and thus you can expect to see a little spam, sometimes more, on any given day. Of course, we're always tweaking and taking efforts to improve the effectiveness of the filter, because it filters our mail too, and we don't like spam either. :)

As ever, if you have questions, please feel free to contact us. :)