Our anti-spam guidance tips have been produced using experts who, despite their doing as much as possible, still encounter spam emails in their inboxes every day. Much of our advice for blocking spam emails also helps to stop malicious emails from being broadcast – those including malware or other email-borne attacks.
Some of our anti-spam tips are based on features that must come with spam filters by default – but not all are typically included. Others include measures you can implement yourself. Due to this, it is in your best interests to review the features you already have in place to spot spam, and then amend, add or substitute as necessary.
SMTP controls perform a range of functions and first-line tests. The most important is the “SMTP handshake” in which your inbound mail server will review for a HELO command, a Fully Qualified Hostname or a Resolvable Hostname. By using SMPT handshake protocols, your email filter will reject any email coming from an address with no DNS A or MX record.
The process for using SMTP handshake protocols requires a small change to your email server or spam filter, but it may be a requirement for you to create a whitelist of approved senders for suppliers or customers with incorrectly set up email servers to allow their emails to be accepted. Sadly, this is one of our anti-spam tips not suitable for Managed Service Providers.
Whether or not you have configured a third-party spam filter to protect your network, you will likely be using a Realtime Block List or RBL. A Realtime Block List is a blacklist including the IP addresses of servers known to be used for sharing spam emails and is present on every type of email filter from Outlook and Yahoo upwards.
The Realtime Block List compares every inbound email against the blacklist of known spam servers and rejects those that are included on the list. Typically, the Realtime Block List will block 70% to 90% of inbound emails. If you are being sent a high volume of spam email, the likelihood is that you Realtime Block List is not updating as it should and you should seek technical guidance.
Recipient Verification Inspection checks that each inbound email is addressed to an authentic recipient. Spammers often use addresses such as “info@” or “admin@” to get their emails opened by an unsuspecting end-user – possibly installing malware onto your network or generating a response from the end-user that leads to a breach of confidential data.
Recipient Verification Inspection can be enabled by uploading your valid email addresses to your mail server or spam filter. Like the two hints for reducing spam emails given above, Recipient Verification Inspection rejects spam email before it is installed, reducing the load on your email server and saving bandwidth.
The majority of computer users are conscious of the risks of downloading .exe files, so spammers rarely share malware via an attachment with an .exe extension. Instead they hide the payload file within an image, spreadsheet, document or PDF file, or change the extension name to bypass filtering mechanisms.
It is not practical to prevent every possible type of attachment that could be harboring malware but, with MIME filtering software, you can prevent the attachments most frequently associated with malicious code (.exe, .bat, .scr, etc.) and quarantine others that would usually be sent and received via secure file sharing facilities such as Dropbox and Google Drive.
As well as carrying viruses, inbound email can contain links to exploited websites and websites built to run phishing campaigns. Therefore, one of our anti-spam tips relating to mitigating risks from web-borne threats is that, whatever inbound mail antivirus software you use ensures it has malicious URL blocking and phishing protection (tip: not all antivirus software performs these functions).
Malicious URL blocking and phishing protection deploys “URIBL” and “SURBL” protocols to compare links contained within emails against a worldwide blacklist of domain names frequently found in unsolicited bulk email and known phishing sites. These mechanisms blockt any email containing a malicious URL or link to a phishing website to protect your group from fraud and theft.
Undoubtedly all individuals and organizations will have some form of antivirus software already protecting their network. However proprietary antivirus software usually works retrospectively – identifying malware once it has been downloaded. Consequently it is advised that you implement secondary antivirus software to scan inbound and outbound mail.
The importance of reviewing outbound mail (for spam as well as for viruses) is that some system administrators set their spam filters parameters to “over-zealous”. If emails coming from your IP address are too often identified as being infected (or containing spam), you could find the IP address added to a Realtime Block List and all your outbound emails blocked by their recipients.
Bayesian Analysis is a tool that uses a spam pattern library that identifies trends in spam emails. A spam pattern library includes a large database of recent and historical spam provided by the spam-fighting community, and Bayesian Analysis leverages this data – along with potentially dangerous attachment types and identified dangerous URLs – to reject emails falling beneath an acceptance level.
Instead of being a static mechanism, Bayesian Analysis “learns” to spot new spamming techniques and “forgets” old spam patterns than may now block authentic emails. The review can be improved if you correct false positives (genuine emails rejected/blocked in error) as they occur, and instruct your end-users to tag any spam that gets around your filter.
Some – but not all – spam filters can set spam acceptance thresholds by individual user, user-group or universally. In some instances it may be necessary for system administrators to apply different settings for different user-groups in order to enhance the effectiveness of the anti-spam filtering solution.
An instance in which this feature may be required is when a company’s sales team are sent leads by email. Like all sales leads, these leads need to be acted upon quickly, so it is important they are not quarantined as spam and it may be required to apply a lower spam acceptance threshold for the sales department than – for example – the finance department.
We have kept one of the most important tips for reducing spam emails until the end – Greylisting. Most of the mechanisms listed in our anti-spam tips rely on spitting identifying “known” sources of spam to reject inbound emails. However, spammers are constantly trying to bypass filtering mechanisms by using new or “unknown” sources from which to share spam.
Greylisting works by asking for the sender’s server to send the email again. Normally, hackers’ servers are too busy sending out spam emails to respond to the request and, after a period of time without receiving the resent email, the Greylisting function rejects the email as spam.
Greylisting blocks almost 100% of spam emails.
It was referred to above that some system administrators set their spam filter parameters to “over-zealous”. Even though this may be a slight exaggeration, different groups will have different spam acceptance thresholds depending on the nature of their company. Spam filters give a score to each inbound email based on its content, and it is up to system managers to determine an appropriate score.
Identifying the optimum level of filtering to reduce spam and false positives to a minimum level can take a little trial and error. Most vendors of spam filtering solutions and service providers allow groups a trial period to evaluate the solution/service. You should use this time to find an appropriate acceptance threshold and fine-tune as necessary as you become more familiar with the filter.
Copyright © 2020 ComplianceHome