Anti-spam software first appeared in the mid-1990s, when two software engineers began collecting a variety of IP addresses where unsolicited had originated from. The list was transmitted as a Border Gateway Protocol to subscribers of the “Mail Abuse Prevention System” which later made into the Domain Name Server Blackhole List.
ALmost 30 years following this, the Domain Name Server Blackhole List (often called the Real-time Blackhole List or “RBL”) is still the main tool of choice used by anti-spam software to spot unsolicited and unwanted emails. Sadly, due to the rising complex actions of spammers, RBL filters alone are not adequate defenses against email dangers such as malware, ransomware and phishing.
Modern anti-spam solutions employ a multi-tiered approach to detect spam. The mechanisms included in the multi-layered approach differ according to each email service or software provider, but generally include a Real-time Blackhole List, Recipient Verification Protocol, Sender Policy Framework and a content analysis tool. The functions of each mechanism are described here:
|Real-time Blackhole Lists||As referred to before, a Real-time Blackhole List is a list IP addresses from which spam is known to have originated. If a match is identified between an inbound email and a known IP address, the email can be obrstructed using its “IP Reputation” (please see note below in relation to IP Reputation).|
|Recipient Verification Protocol||The Recipient Verification Protocol considers recipients to ensure they are valid. If the business does not include a (for example) firstname.lastname@example.org recipient address, the email is obstructed, sent to a quarantine folder or flagged, depending on how the business’s spam filter has been configured.|
|Sender Policy Framework||The Sender Policy Framework mechanism compares that inbound mail from a domain (i.e. email@example.com) to a host authorized by that domain’s managers. It is an excellent way to stop “spoofed emails”, in which the sender’s email address is masked to look as if it is genuine. DMARC is also used to see if a sender is given permission to send messages from a particular domain.|
|Content Analysis Tool||The vast majority of anti-spam solutions have a content analysis tool that reviews the headers and content of each email and rates it based. These tools “learn” the probability of an email being authentic or spam from user actions – typically using a method called as “Bayesian Analysis”.|
One major change since the mid-1990s is that Real-time Blackhole Lists are now more complex than they were. This is due to RBL agencies allocating an “IP Reputation Score” to IP addresses using factors including email open rates, click-through rates, spam complaints and hard bounces (emails sent back to their senders because the domain name does not exist or the recipient is unknown).
Modern anti-spam solutions consider IP reputation scores along with the ratings estimated by Content Analysis Tools in order to assign a “spam score”. System administrators can set a “Spam Acceptance Threshold” and, if the spam score is greater than the threshold, the email is rejected, quarantined or flagged, depending on how the business’s spam filter has been set up.
Sadly they are not. Although email services and software providers regularly update their Real-time Blackhole Lists, RBLs only track spam emails from known sources of spam or IP addresses with poor reputations. In most cases RBLs detect around 97%-98% of spam. Spammers often change their IP addresses and domains, and often compromise legitimate email accounts with good reputations and deploy them for spamming. RBLs are not effective at blocking these previously unseen spam sources, and anti-spam solutions that lack more advanced features will permit between 1% and 3% of spam emails through.
Most spam email is now sent by botnets from IP addresses with good IP reputations. This happens when a hacker has gained access to a device and its Internet connection, and can send spam emails from the infected “zombie” device using command and control malware. The most recent Internet Security Threat Report from Symantec calculates there are more than 98.6 million bot-infested zombie devices currently.
Although Sender Policy Framework mechanisms can discover some emails sent from infected accounts, it cannot spot them all – often exposing companies to BEC and phishing attacks. Therefore, in order to effectively secure networks from email-based threats, companies need to use advanced anti-spam software from an expert software provider and not depend on the basic anti spam software implemented by their email service supplier.
Outbound scanning is a factor often neglected by businesses evaluating anti-spam software, but it is a vital feature. As mentioned previously, IP addresses are assigned a reputation score based on their histories and, if spam email – or an email including malware – is sent from a business’s mail server, it could negatively affect their IP reputation.
An email labelled spammy by a content analysis tool – or an email found to be harboring malware – does not necessarily mean the business’s network has been impacted by a botnet. It could be a result of an employee sending a series of emails including spam-related keywords. Nonetheless, if enough numbers of recipient mail filters rate the email as spam, it will affect the business´s IP reputation to the point where all emails sent from the IP address fail to get delivered. Outbound scanning identifies outgoing emails with a high spam score or including malware and either deletes the email, quarantines it, or flags it to an administrator in a report.
Even the strongest spam software will not block all phishing threats, and should an employee fall for a phishing scam and share their details – or if details are obtained by a threat actor by other means – the email account can be accessed and used to send phishing emails internally or to business contacts and customers. Outbound scanning of emails helps to spoty these breaches quickly to permit steps to be taken to mitigate the attack and limit the harm caused.
Outbound scanning also acts as a data loss prevention mechanism to identify efforts by malicious insiders to send sensitive data externally to personal email accounts. Spam filters allow tags to be applied to specific data types such as Social Security numbers to prevent messages containing those data types from being shared.
The majority of IT security specialists agree that the best way to stop the delivery of spam emails to inboxes is to implement advanced anti-spam software and ensure it is kept up-to-date to secure networks against new malware variants. Where disagreement occurs, it usually concerns policies linked to password management and how often – if ever – they should be amended.
Other disagreements are linked to how spam emails should be handled. Some IT specialists argue they should be deleted immediately. Others say quarantining them first is the best step. There is also a school of thought that spam email should be made known to RBL agencies, although the IP reputation calculation of Real-time Blackhole Lists tend to address this matter quite well.
Although each company will likely create its own policy relating to how spam email should be handled, it is important employees are trained on how to deal with spam emails that evade detection and are sent to their inboxes. Due to the nature of the threats that can be masked within spam emails, employees should be shown how to:
Training should also be given to staff members to help them identify potentially malicious emails.
Discussing the cost of spam email in relation to a successful malware, ransomware or phishing attack can result in massive figures being mentioned. IT security specialists talk of the costs of recovering from a successful malware attack growing to millions of dollars, while the FBI estimates that globally businesses have lost more than $12.5 Billion since 2013 due to successful Business Email Compromise (BEC) attacks, up from $5.3 billion in December 2016.
Copyright © 2020 ComplianceHome