Due to the increasing sophistication of email-borne threats, and the multiple ways cybercriminals can bypass some security mechanisms, it is important to minimize the number of spam emails accepted by a spam filter service for processing. One of the best ways to minimize spam emails is automated greylisting.
Email is the number one attack vector for cybercriminals, and research has shown that 90% of malware is delivered via spam mail. However, as software vendors add more security features to spam filter services, cybercriminals often find new ways to bypass them, mask their identities, and exploit gaps in the security mechanisms.
To address the increasing sophistication of email-borne threats, some spam filter services now include automated greylisting. This feature returns emails to their originating servers, where they are added to a mail retry queue. In most circumstances, the greylisted email is resent within minutes and accepted by the spam filter service for processing.
Spammers´ servers have a lot of undelivered emails returned to them due to be rejected by front-end processes such as recipient verification and sender authentication tests or matches with real-time blocklists (RBLs). So that resources are not used resending undeliverable emails, spammers´ servers often have the mail retry function disabled.
Because the mail retry function is disabled, the greylisted email is never returned. However, the process is not infallible because it fails to prevent targeted attacks when the mail retry function is operational. However, in tests, a spam filter service with automatic greylisting enabled achieved a spam detection rate of 99.97% with only 0.03% false positives.
How to Reduce Targeted Email Attacks
There are several ways to reduce targeted email attacks, but the two most effective methods are keyword filters with predictive analysis and “time-of-click” URL scanning.
Keyword Filters with Predictive Analysis
Most spam filter services have keyword filters that calculate a Spam Confidence Score based on the frequency of commonly-used “spam trigger words”. Some can also identify words with character substitutions that try to evade detection (i.e., ßuy, ƒree, vi@gra, etc.). When the Spam Confidence Score passes a pre-defined threshold, the email is quarantined or sent to a spam folder.
Keyword filters with predictive analysis capabilities use machine learning to familiarize themselves with the nature of content and language used in email communications. This enables the spam filter service to identify anomalies that could be masking threats and – depending on how this feature has been configured – it can send the email to a sandbox environment for human analysis.
“Time-of-Click” URL Scanning
Undoubtedly the most common targeted email attack is phishing; and, to mitigate this threat, many spam filter services scan embedded URLs as part of the filtering process. However, in addition to being able to bypass the scan with IP traffic misdirection or cloak the destination phishing site, some cybercriminals only weaponize the target site once an email has been delivered.
This means that a phishing email might be cleared as “safe” only for it to become a threat between the time of the URL scan and when the recipient clicks on an embedded link. Time-of-click URL scanning addresses this threat by scanning the destination URL before allowing the recipient to visit the destination site and blocking access to it if a threat is identified.
Finding the Best Spam Filter Service
It is becoming more common to find spam filter services with a greylisting function, which use predictive analysis in the filtering process, or that support time-of-click URL scanning, but it is not common to find a spam filter service offering all three. For this reason, we suggest businesses take advantage of the free demo offered by SpamTitan.
SpamTitan is a leading vendor of spam filter services and offers both an on-premises and a cloud option. Furthermore, SpamTitan´s spam filter service does not necessarily have to be used as a standalone service. Businesses can place SpamTitan in front of their existing service to take advantage of SpamTitan´s capabilities.
