The strength of a spam antivirus filter can vary massively depending on the mechanisms used to identify spam and malware, and the order in which the mechanisms are used.
Even the tasks of the antivirus software used in the filtering solution can make a difference between malware being labelled as a threat or allowed into your group’s network.
These multiple factors can create headaches for groups evaluating the effectiveness of spam filtering solutions. Spam filtering solutions often mention how good they are at “x”, but not necessarily “y” or “z”. Unless a group knows every factor that contributes to an effective spam antivirus filter, the scenario exists whereby they may select a solution that creates more issues than it solves.
A spam antivirus filter has many different mechanisms to detect spam and malware because spammers and hackers use a variety of methods to share malicious emails. No single tool or process can eliminate all spam and malware attacks, so spam filtering solutions have a multilayered and multifaceted approach to filtering inbound emails in order to identify those which are dangerous.
Because of the number of processes used to filter inbound emails, the order in which the mechanisms are applied is crucial for preventing queues forming in a mail server. Front end tests such as comparisons against Realtime Blackhole Lists, Sender Policy Frameworks, and SMTP Controls quickly determine if an email is spam before other emails pass through a more intensive process that scans emails and attachments for viruses.
The antivirus software used to review email and attachments should have malicious URL blocking and phishing protection. Malicious URLs disguised within emails and their attachments – and phishing attacks – are now bigger threats to groups’ online security than rootkits, adware and spyware. Without these tools, a spam antivirus filter is not fully effective.
The front end tests completed by a spam antivirus filter are based upon “known” spammers and their IP addresses. Due to this, if spam is sent from a new source, it is not necessarily picked up by the front end tests. Leading spam filtering solutions have extra “second-wave” features to identify spam from previously unknown sources – “Bayesian Analysis” and “Greylisting”.
Bayesian Analysis reviews the content of an email for words regularly associated with spam and attempts to disguise the words. For instance, a hacker may send an email with the title “VVin α þrize” – two “Vs” representing the “W” of “Win”, the Greek letter “α” representing “a”, and the Icelandic symbol for “th” representing “P”. Some spam filtering solutions would not recognize the title as a potential threat – passing the email through to its intended recipient.
However, Bayesian Analysis would recognize the rather weak attempt to avoid spam detection and send the email for Greylisting. This process includes sending the email back to the sender´s server and asking for it to be sent again. Because hackers’ servers are too busy sending out emails, the request to resend the email is not completed. The “VVin α þrize” email is then classified as spam and quarantined. In this way, the two steps to stop spam from previously unknown sources bypassing detection.
Copyright © 2024 ComplianceHome